A persistent and reliable session securely traversing network components using an encapsulating protocol

ABSTRACT

The invention relates to systems and methods for reestablishing client communications by securely traversing network components using an encapsulating communication protocol to provide session persistence and reliability. A first protocol that encapsulates a plurality of secondary protocols is used to communicate over a network to provide session persistence and a reliable connection between a client and a host service via a first protocol service. A ticket authority generates a first ticket and a second ticket associated with the client. The first ticket is provided to the client and the client uses the first ticket to establish a communication session with the first protocol service. The second ticket is provided to the first protocol service and the first protocol service uses the second ticket to establish a communication session with the host service.

CROSS REFERENCE TO RELATED APPLICATIONS

The present invention is a continuation-in-part of U.S. patentapplication Ser. No. 10/083,324 filed Feb. 26, 2002, entitled “SECURETRAVERSAL OF NETWORK COMPONENTS”, and a continuation-in-part of U.S.patent application Ser. No. 10/683,381, filed Oct. 10, 2003 entitled“ENCAPSULATING PROTOCOL FOR SESSION PERSISTENCE AND RELIABILITY”, ofwhich the contents are incorporated herein by reference.

TECHNICAL FIELD

The invention generally relates to network communications. Moreparticularly, the invention relates to systems and methods forreestablishing client communications by securely traversing networkcomponents using an encapsulating communication protocol to providesession persistence and reliability.

BACKGROUND INFORMATION

Communications over a network between two computers, for example, aclient and a server, can be implemented using a variety of knowncommunication protocols. Typically, the client communicates with theserver to download content from the server over the network. Forexample, the server may host one or more applications accessible by theclient. Furthermore, the client may communicate with the server via aproxy that is typically a security gateway, such as a router orfirewall, through which content from the server passes. Additionally,the server may include a firewall to prohibit unauthorizedcommunications to and from the server. The client gains access to theserver and the content of the server through the security of the proxyand the firewall of the server. Often, however, the network connectiontraversing to the server via a proxy is susceptible to breakdown. Forinstance, a wireless connection between a client and a proxy is oftenunreliable. In other cases, the network connection is intermittent. Assuch, a connection can be lost when one enters an elevator or tunnel andmay only be restored following one's exit from the elevator or tunnel.

If an established communication session between the client and theserver computer abnormally terminates, the client generally has tore-establish the connection by starting a new communication session. Tobegin the new communication session, the user typically has toretransmit authentication credentials, such as a login/password pair, tothe proxy and the server computer so that the user can be authorized forthe new communication session. This retransmission of the authenticationcredentials of a user across multiple communication sessions repeatedlyexposes the authentication credentials of that user to potentialattackers, thereby decreasing the level of security of theauthentication credentials. Furthermore, if an attacker bypasses thesecurity of the proxy or the firewall of the server, the attacker maygain access to the content of the server without encountering additionalsecurity. In addition, having the user re-enter authenticationcredentials is often a slow process that may result in user frustrationand inefficiency.

When communicating over a network connection using many currentprotocols, data packets are lost when the network connection isdisrupted. For example, when communicating via a standard TCP networkconnection, data buffers are typically flushed upon disruption of theconnection. As such, when the network connection is restored, anetworked application, such as a user session on a server, is unable toresume where it was prior to disruption. Typically an error message isdisplayed, adding user frustration to inconvenience. Moreover,communicating over a network with many protocols often requires frequentre-establishment of the transport connection. For example, using HTTP,either on its own or on conjunction with a proxy protocol, to browse awebsite over a standard TCP connection requires, in addition to a newHTTP connection for each resource, the closure of a previous TCP/proxyprotocol connection and the opening of a new TCP/proxy protocolconnection for each resource.

Thus, it is desirable to provide a technique for re-establishing acommunication session between a client computer and a server computerwithout requiring repeated transmission of the client's authenticationcredentials and while increasing the protection of the server from anunauthorized user. Improved systems and methods are needed forre-establishing a communication session between a client computer and aserver computer without repeatedly transmitting the authenticationcredentials to securely traverse multiple network components.

SUMMARY OF THE INVENTION

The present invention relates to systems and methods for reconnecting aclient to a persistent and reliable connection with a host service, inwhich the connection securely traverses network components. Reconnectingthe client includes re-establishing the client's connection to the hostservice and re-authenticating the user of the client to the hostservice, including re-authenticating one or more of the connectionsbetween the client and the host service. A persistent and reliableconnection to a host service is maintained by one or more first protocolservices on behalf of a client. The first protocol services ensure thatdata communicated between the client and the host service is bufferedand maintained during any disruption in the network connection betweenthe client and the host service. For example, a temporary disruption ina network connection may occur when a client, such as a mobile client,roams between different access points in the same network, or when aclient switches between networks (e.g., from a wired network to awireless network).

In addition to maintaining buffered data during a network disruption,the first protocol service re-authenticates the client to the hostservice when re-establishing the client's connection to the firstprotocol service. This prevents the user of the client from re-enteringauthentication credentials to re-establish its connection with the hostservice. Moreover, each of the multiple connections between the clientand the host service, for example, via a first protocol service actingas a proxy, is re-authenticated to provide additional securityprotection in accessing the host service. After re-authenticating, thefirst protocol service re-links the client's connection to the hostservice. In summary, the present invention provides for re-establishinga network connection between a client and a host service to securelytraverse network components to the server and without the userreentering authentication credentials.

In one aspect, the present invention relates to a method forre-connecting a client to a host service. The method comprises the stepof providing a communication session between a client and a host servicevia a first connection between the client and a first protocol service,and a second connection between the first protocol service and the hostservice. The method further includes detecting a disruption in one ofthe first connection and the second connection, and maintaining theother of one of the first connection and the second connection. Inanother step of the method, the first protocol service obtains a firstticket and a second ticket, and validates the first ticket tore-establish the disrupted connection. The first protocol servicevalidates the second ticket to continue use of the maintainedconnection, and links the re-established connection to the maintainedconnection.

In one embodiment, the method comprises maintaining the communicationsession during the disruption in the disrupted connection. In anotherembodiment, the method further comprises generating one of the firstticket and the second ticket by at least one of the first protocolservice and a ticket authority. The method may include validating, bythe ticket authority, at least one of the first ticket and the secondticket.

In another embodiment, the method further comprises authenticating theclient to a web server and transmitting by the web server the firstticket to the client. The method may further comprise authenticating, bythe host service, the client upon establishment of the communicationsession. In one embodiment, the method includes transmitting, by theclient, the first ticket to the first protocol service.

In a further embodiment, the first protocol service comprises a proxyserver. In another embodiment, the first protocol service comprises asecurity gateway. The method may further include the client and thefirst protocol service communicating using a first protocolencapsulating a second protocol, and the first protocol service and thehost service communicating using the second protocol.

In another embodiment, the first ticket is valid for the firstconnection, and the second ticket is valid for the second connection.Optionally, the second ticket may be disabled until the first ticket isvalidated. In one embodiment, the re-established connection is linked tothe maintained connection after the first ticket and the second ticketare validated.

In a further embodiment, either or both of the first connection and thesecond connection may comprise a plurality of connections connected viaone of an intermediary node and one or more first protocol services. Themethod may further include generating a third ticket for at least one ofthe plurality of connections. The third ticket may be valid for theleast one of the plurality of connections.

In another aspect, the present invention relates to a system forre-connecting a client to a host service. The system comprises a clientand a first protocol service. The client establishes a communicationsession with a host service via a first connection. The first protocolservice establishes the first connection with the client and a secondconnection with the host service. The first protocol service maintains aconnection comprising at least one of the first connection and thesecond connection. Furthermore, the first protocol service validates afirst ticket to re-establish a disrupted connection in one of the firstconnection and the second connection, and validates a second ticket touse the other of the one of the first connection and the secondconnection. The system further includes the first protocol servicelinking the re-established connection to the maintained connection.

In one embodiment, the system further comprises a ticket authoritygenerating at least one of the first ticket and the second ticket. Inanother embodiment, the first protocol service maintains thecommunication session during a disruption in the disrupted connection.In a further embodiment, the first protocol service generates at leastone of the first ticket and the second ticket. The system may includethe ticket authority validating at least one of the first ticket and thesecond ticket.

In another embodiment, the system further comprises a web server. Theweb server authenticates the client, and, in one embodiment, transmitsthe first ticket to the client. In a further embodiment, the clienttransmits the first ticket to the first protocol service. In yet anotherembodiment, the host service authenticates the client upon establishmentof the communication session.

In one embodiment, the first protocol service comprises a proxy server,and, in another embodiment, the first protocol service may comprise asecurity gateway. The system may include the client and the firstprotocol service communicating using a first protocol encapsulating asecond protocol, and the first protocol service and the host servicecommunicating using the second protocol.

In a further embodiment, the first ticket is valid for the firstconnection, and the second ticket is valid for the second connection.Additionally, the second ticket may be disabled until the first ticketis validated. In one embodiment, the first protocol service links there-established connection to the maintained connection after the firstticket and the second ticket are validated.

In yet a further embodiment, one of the first connection and the secondconnection comprises a plurality of connections connected via one of anintermediary node and one or more first protocol services. The systemfurther includes generating a third ticket for at least one of theplurality of connections, and in one embodiment, the third ticket isvalid for the least one of the plurality of connections.

The details of various embodiments of the invention are set forth in theaccompanying drawings and the description below.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing and other objects, aspects, features, and advantages ofthe invention will become more apparent and may be better understood byreferring to the following description taken in conjunction with theaccompanying drawings, in which:

FIG. 1A is a block diagram of a system for providing a client with areliable connection to a host service according to an illustrativeembodiment of the invention;

FIG. 1B is a block diagram of a system for providing a client with areliable connection to a host service according to another illustrativeembodiment of the invention;

FIG. 2A depicts communications occurring over a network according to anillustrative embodiment of the invention;

FIG. 2B depicts communications occurring over a network according toanother illustrative embodiment of the invention;

FIG. 3 depicts a process for encapsulating a plurality of secondaryprotocols within a first protocol for communication over a networkaccording to an illustrative embodiment of the invention;

FIG. 4 is a flow diagram illustrating an embodiment of the operation ofthe communications system of FIGS. 1A-1B in accordance with theinvention;

FIG. 5A is a block diagram of another embodiment of a communicationssystem constructed in accordance with the invention;

FIG. 5B is a flow diagram illustrating an embodiment of the operation ofthe communications system of FIG. 5A in accordance with the invention;

FIG. 6A is a block diagram of the illustrative system of FIG. 1A furtherincluding components for re-connecting the client to a host serviceaccording to an illustrative embodiment of the invention;

FIG. 6B is a block diagram of the illustrative system of FIG. 6A furtherincluding components for initially connecting the client to a hostservice according to another illustrative embodiment of the invention;

FIG. 6C is a block diagram of the illustrative system of FIG. 6B furtherincluding a component for initially connecting the client to the hostservice and for re-connecting the client to the host service accordingto another illustrative embodiment of the invention;

FIG. 6D is a block diagram of an alternative embodiment of the system ofFIG. 6C;

FIG. 7 is a flow diagram of a method for network communicationsaccording to an illustrative embodiment of the invention;

FIGS. 8A-8C are flow diagrams of a method for connecting a client to aplurality of host services according to an illustrative embodiment ofthe invention;

FIG. 9 is a flow diagram of a method for providing a client with areliable connection to host services and for re-connecting the client tothe host services according to an illustrative embodiment of theinvention; and

FIGS. 10A-10B are flow diagrams of a method for re-connecting a clientto host services according to an illustrative embodiment of theinvention.

DESCRIPTION

Certain embodiments of the present invention are described below. It is,however, expressly noted that the present invention is not limited tothese embodiments, but rather the intention is that additions andmodifications to what is expressly described herein also are includedwithin the scope of the invention. Moreover, it is to be understood thatthe features of the various embodiments described herein are notmutually exclusive and can exist in various combinations andpermutations, even if such combinations or permutations are notexpressly made herein, without departing from the spirit and scope ofthe invention.

The illustrative embodiment of the present invention provides systemsand methods for establishing a reliable and persistent connectionbetween a client and a host service, and reconnecting the connectionwhen there is a disruption in the connection. A client establishes acommunication session with a host service via a first connection betweena client and a first protocol service and a second connection betweenthe first protocol service and the host service. The client communicateswith the first protocol service using a first protocol and the firstprotocol service communicates with the host service using a secondprotocol. The second protocol is communicated from the client to thefirst protocol service encapsulated within the first protocolcommunications. When a disruption in the either the first connection orsecond connection is detected, the first protocol service re-establishesthe disrupted connection while maintaining the connection that is notdisrupted. The disrupted connection is linked with the maintainedconnection to re-connect the client to the host service.

Furthermore, the illustrative embodiment of the present inventionprovides systems and methods for securely traversing network componentsin establishing and reconnecting a client to a host service. The firstprotocol service may act as a proxy between the client and the hostservice and as such, may comprise a security gateway. The first protocolservice obtains a first ticket and a second ticket from a ticketauthority. The first ticket is used for validating the connectionbetween the client and the first protocol service, and the second ticketis used for validating the connection between the first protocol serviceand the host service. The second ticket may be disabled until the firstticket is validated. The first protocol service validates the firstticket in re-establishing or maintaining the use of the firstconnection, and the second ticket in re-establishing or maintaining theuse of the second connection. When the first and second tickets arevalidated and the connections re-established, the first protocol servicelinks the first connection with the second connection to maintain theclient's communication session with the host service. Additional ticketscan be generated and validated for re-establishing or maintaining theuser additional connections, or “hops”, between the client and the hostservice. In this manner, each connection, or “hop”, between the clientand the host service is validated.

Referring to FIG. 1A, in general, the invention pertains to networkcommunications and can be particularly useful for providing a clientwith a reliable connection to a host service. In a broad overview, asystem 100 for network communications includes a client 108 (e.g., afirst computing device) in communication with a first protocol service112 (e.g., a second computing device) over a network 104. Also includedin the system 100 are a plurality of host services 116 a-116 n residingon a host node 188 (e.g., third computing device) that are incommunication with the first protocol service 112 and, through the firstprotocol service 112 and over the network 104, with the client 108.Alternatively, in another illustrative embodiment of the invention, andwith reference now to FIG. 1B, the first protocol service 112 and thehost services 116 a-116 n are not implemented on separate computingdevices, as shown in FIG. 1A, but, rather, they are incorporated intothe same computing device, such as, for example, host node 118 a. InFIG. 1B, the host services 116 a-116 n communicate with the firstprotocol service 112 over the network 104′. The system 100 can includeone, two, or any number of host nodes 118 a-118 n.

In one embodiment, the networks 104 and 104′ are separate networks, asin FIG. 1B. The networks 104 and 104′ can be the same network 104, asshown in FIG. 1A. In one embodiment, the network 104 and/or the network104′ is, for example, a local-area network (LAN), such as a companyIntranet, or a wide area network (WAN), such as the Internet or theWorld Wide Web. The client 108, the first protocol service 112, the hostservices 116 a-116 n, and/or the host nodes 118 a-118 n can be connectedto the networks 104 and/or 104′ through a variety of connectionsincluding, but not limited to, standard telephone lines, LAN or WANlinks (e.g., 802.11, T1, T3, 56 kb, X.25), broadband connections (e.g.,ISDN, Frame Relay, ATM), wireless connections, or some combination ofany or all of the above.

The client 108 is in communication with the first protocol service 112over the client-first protocol service communication channel 135 andalso in communication with the web server 120 over the client-web servercommunication channel 140. The first protocol service 112 is incommunication with the ticket authority 136 over a first protocolservice-authority communication channel 145 and the web server 120 is incommunication with the ticket authority 136 over a web server-authoritycommunication channel 150. The first protocol service 112 is also incommunication with the host node 118 over first protocol service-servercommunication channels 124 a-124 n. In another embodiment, the webserver 120 can communicate with the host node 118 over an agent-servercommunication channel 155. Similarly, the host node 118 can communicatewith the ticket authority 136 over a ticket-server communication channel157. In one embodiment, the respective communication channels 124 a-124n, 135, 140, 145, 150, 155, 157 are established over the network 104.

Example embodiments of the communication channels 124 a-124 n, 135, 140,144, 150, 155, 157 include standard telephone lines, LAN or WAN links(e.g., T1, T3, 56 kb, X.25), broadband connections (ISDN, Frame Relay,ATM), and wireless connections. The connections over the communicationchannels 124 a-124 n, 135, 140, 144, 150, 155, 157 can be establishedusing a variety of communication protocols (e.g., HTTP, HTTPS, TCP/IP,IPX, SPX, NetBIOS, Ethernet, RS232, messaging application programminginterface (MAPI) protocol, real-time streaming protocol (RTSP),real-time streaming protocol used for user datagram protocol scheme(RTSPU), the Progressive Networks Multimedia (PNM) protocol developed byRealNetworks, Inc. of Seattle, Wash., manufacturing messagespecification (MMS) protocol, and direct asynchronous connections).

In another aspect, FIG. 1A shows a block diagram of an embodiment of acommunications system 100 for secure delivery of content. In oneembodiment, the first protocol service 112 comprises a proxy 115 and thesystem 100 includes a web server 120, and a ticket authority 136. Thesystem 100 also includes two firewalls 160, 161 which prohibitunauthorized communications to/from the host node 118. The networkbetween the firewalls 160, 161 is often referred to as a “demilitarizedzone,” (DMZ) 130. In one embodiment, the DMZ 130 includes the ticketprotocol service 112, comprising a proxy 115, and the web server 120.

The DMZ 130 separates the host services 116 a-116 n from the components(e.g., first protocol service 112) of the system 100 that are accessibleby unauthorized individuals. As described above, the DMZ 130 isdelineated with two firewalls 160, 161 that prohibit unauthorizedcommunication. The first firewall 160 and the second firewall 161 eachapply a set of policy rules to determine which messages can traverse theDMZ 130. In one embodiment, the first firewall 160 and the secondfirewall 161 apply the same set of policy rules. Alternatively, thefirst firewall 160 and the second firewall 161 may apply different setsof policy rules. Each firewall 160, 161 can be a router, computer, orany other network access control device. In another embodiment, thesystem 100 includes one of the firewalls 160, 161 or no firewall 160,160. In another embodiment, one of the firewalls 160, 161 is deployed onthe host node 118. In another embodiment (not shown), one or more of thefirewalls 160, 161 are deployed on an intermediary node.

In one embodiment, the first protocol service 112 includes a proxy 115which comprises a security gateway through which messages over theclient-first protocol service communication channel 135 must pass. Inone embodiment, the network firewall 160 repudiates any incoming messagefrom the client-first protocol service communication channel 135 thatdoes not have the first protocol service 112 as its destination.Likewise, the network firewall 160 repudiates any outgoing message forthe client-first protocol service communication channel 135 unless itssource is the first protocol service 112. Although illustrated as aproxy 115 of the first protocol service 112, the security gateway canalternatively be a router, firewall, relay, or any network componentthat can provide the necessary security. In another embodiment, theproxy 115 is a network component separate from the first protocolservice 112 that may run on the same computing device of the firstprotocol service 112 or on a different computing device. For example, inFIG. 1B, the proxy 115 is separated from the first protocol service 112.The proxy 115 is in the DMZ 130 with the web server 120. Multipleinstances of the first protocol service 112 are running on each of thehost nodes 118 a-118 n. Each first protocol service 112 communicateswith the proxy 115 over the communication channel 135, which is theclient-first protocol service communication channel 135. In this case,the proxy 115 component is an intermediary for securely passingcommunications between the client 108 and the first protocol service112.

The network 104 can be a local-area network (LAN), a wide area network(WAN), or a network of networks such as the Internet or the World WideWeb (i.e., web). The respective communication channels 124 a-124 n, 135,140, 145, 150, 155, 157 may each be part of different networks. Forexample, the client-first protocol service communication channel 135 canbelong to a first network (e.g., the World Wide Web) and the client-webserver communication channel 140 can belong to a second network (e.g., asecured extranet or Virtual Private Network (VPN)). In otherembodiments, the network 104 spans the DMZ 230 as well as the serverfarm 169 and the same communication protocol is used throughout. In someembodiments, no firewall 160 separates the first protocol service 112and web server 120 from the host node 118 and ticket authority 136.

Example embodiments of the communication channels 124 a-124 n, 135, 140,144, 150, 155, 157 include standard telephone lines, LAN or WAN links(e.g., T1, T3, 56 kb, X.25), broadband connections (ISDN, Frame Relay,ATM), and wireless connections. The connections over the communicationchannels 124 a-124 n, 135, 140, 144, 150, 155, 157 can be establishedusing a variety of communication protocols (e.g., HTTP, HTTPS, TCP/IP,IPX, SPX, NetBIOS, Ethernet, RS232, messaging application programminginterface (MAPI) protocol, real-time streaming protocol (RTSP),real-time streaming protocol used for user datagram protocol scheme(RTSPU), the Progressive Networks Multimedia (PNM) protocol developed byRealNetworks, Inc. of Seattle, Wash., manufacturing messagespecification (MMS) protocol, and direct asynchronous connections).

The client 108 can be any workstation, desktop computer, laptop,handheld computer, mobile telephone, smart or dumb terminal, networkcomputer, wireless device, information appliance, minicomputer,mainframe computer or other form of computing or telecommunicationsdevice that is capable of communication and that has sufficientprocessor power and memory capacity to perform the operations describedherein. Additionally, the client 108 can be a local desktop client on alocal network 104 or can be a remote display client of a separatenetwork 104′. The client 108 can include, for example, a visual displaydevice (e.g., a computer monitor), a data entry device (e.g., akeyboard), persistent and/or volatile storage (e.g., computer memory), aprocessor, and a mouse. Operating systems supported by the client 108can include any member of the WINDOWS family of operating systems fromMicrosoft Corporation of Redmond, Wash., Macintosh operating system,JavaOS, and various varieties of Unix (e.g., Solaris, SunOS, Linux,HP-UX, A/IX, and BSD-based distributions), or any other operating systemcapable of supporting the client 108 in performing the operationsdescribed herein.

In one embodiment, the client 108 includes a web browser 162, such asINTERNET EXPLORER developed by Microsoft Corporation in Redmond, Wash.,to connect to the web. In a further embodiment, the web browser 162 usesthe existing Secure Socket Layer (SSL) support to establish the secureclient-web server communication channel 140 to the web server 120. SSLis a secure protocol developed by Netscape Communication Corporation ofMountain View, Calif., and is now a standard promulgated by the InternetEngineering Task Force (IETF).

In some embodiments, as shown in FIGS. 1A and 1B, a client agent 128 isincluded within the client 108. The client agent 128 may be used forestablishing and exchanging communications with the host service 116a-116 n over the client-first protocol service communication channel135. The client agent 128 can be, for example, implemented as a softwareprogram and/or as a hardware device, such as, for example, an ASIC or anFPGA. The client agent 128 can use any type of protocol and it can be,for example, an HTTP client agent, an FTP client agent, an Oscar clientagent, or a Telnet client agent. In one embodiment, the client agent 128is an ICA client, developed by Citrix Systems, Inc. of Fort Lauderdale,Fla., and is hereafter referred to as ICA client 128. Other embodimentsof the client agent 128 include an RDP client, developed by MicrosoftCorporation of Redmond, Wash., a data entry client in a traditionalclient/server application, an ActiveX control, or a java applet. In someembodiments, the client agent 128 is itself configured to communicateusing the first protocol. In some embodiments (not shown), the client108 includes a plurality of client agents 128 a-128 n, each of whichcommunicates with a host service 116 a-116 n, respectively. Moreover,the output of an application executing on the host service 116 a-116 ncan be displayed at the client 108 via, for example, the client agent128 or the web browser 162.

In another embodiment, a standalone client agent is configured to enablethe client 108 to communicate using the first protocol. The standaloneclient agent can be incorporated within the client 108 or,alternatively, the standalone client agent can be separate from theclient 108. The standalone client agent is, for example, a local hostproxy. In general, the standalone client agent can implement any of thefunctions described herein with respect to the client agent 128.

Similarly, with reference to FIG. 1A, each of the first protocol service112 and the host services 116 a-116 n can be provided on any computingdevice that is capable of communication and that has sufficientprocessor power and memory capacity to perform the operations describedherein. Alternatively, where the functionality of the first protocolservice 112 and the host services 116 a-116 n are incorporated into thesame computing device, such as, for example, one of the host nodes 118a-118 n, as in FIG. 1B, the first protocol service 112 and/or the hostservices 116 a-116 n can be implemented as a software program running ona general purpose computer and/or as a special purpose hardware device,such as, for example, an ASIC or an FPGA.

Similar to the client 108, each of the host nodes 118 a-118 n can be anycomputing device described above (e.g. a personal computer) that iscapable of communication and that has sufficient processor power andmemory capacity to perform the operations described herein. Each of thehost nodes 118 a-118 n can establish communication over thecommunication channels 124 a-124 n using a variety of communicationprotocols (e.g., ICA, HTTP, TCP/IP, and IPX). SPX, NetBIOS, Ethernet,RS232, and direct asynchronous connections).

In one embodiment, each of the host services 116 a-116 n hosts one ormore application programs that are remotely available to the client 108.Applications made available to the client 108 for use may be referred toas published applications. The same application program can be hosted byone or any number of the host services 116 a-116 n. Examples of suchapplications include word processing programs, such as MICROSOFT WORD,and spreadsheet programs, such as MICROSOFT EXCEL, both of which areavailable from Microsoft Corporation of Redmond, Wash. Other examples ofapplication programs that may be hosted by any or all of the hostservices 116 a-116 n include financial reporting programs, customerregistration programs, programs providing technical support information,customer database applications, and application set managers. Moreover,in one embodiment, one or more of the host services 116 a-116 n is anaudio/video streaming server that provides streaming audio and/orstreaming video to the client 108. In another embodiment, the hostservices 116 a-116 n include file servers that provide any/all filetypes to the client 108. In one embodiment, the host services 116 a-116n can communicate with the client 108 using a presentation protocol suchas ICA, from Citrix Systems, Inc. of Ft. Lauderdale, Fla. or RDP, fromMicrosoft Corporation of Redmond, Wash.

In a further embodiment, the host node 118 is a member of a server farm169, or server network, which is a logical group of one or more serversthat are administered as a single entity. In one embodiment, a serverfarm 169 includes multiple host nodes 118 a-118 n (generally 118).Although the embodiment shown in FIG. 1B has three host nodes 118 a-118n, the server farm 169 can have any number of host nodes 118, orservers. In other embodiments, the server farm 169 is a protectednetwork that is inaccessible by unauthorized individuals, such ascorporate Intranet, Virtual Private Network (VPN), or secure extranet.Additionally, the servers making up the server farm 169 may communicateover any of the networks described above (e.g., WAN, LAN) using any ofthe protocols discussed.

The ticket authority 136, which in the embodiment shown in FIG. 1A ispart of the server farm 169, issues one or more tickets to authenticatethe client 108. In particular, the ticket authority 136 enablesauthentication of the client 108 over one communication channel (i.e.,the client-web server communication channel 140) based on authenticationcredentials. The ticket authority 136 further enables the client 108 tobe authenticated to another communication channel (i.e., client-firstprotocol service communication channel 135) without having the client108 repeatedly provide authentication credentials on the othercommunication channel.

In one embodiment, the ticket authority 136 is a stand-alone networkcomponent. In other embodiments, a modular ticket authority 136 is asoftware module residing on one or more host nodes 118. For example,there may be a ticket authority 136 for each of the host nodes 118 a-118n as shown in FIG. 1B. In this embodiment, the web server 120 maycommunicate with the ticket authority 136 and/or the host node 118 overthe agent-server communication channel 155. In another embodiment, theticket authority 136 may reside on an intermediary node separate fromany of the host nodes 118 a-118 n.

In one embodiment, the ticket authority 136 generates a first ticket anda second ticket. In some embodiments, the tickets are both nonces. Infurther embodiments, the tickets are generated using a cryptographicrandom number generator that has been suitably seeded with randomness.The first ticket is transmitted to the client 108 and is used toestablish a first communication session between the client 108 and thefirst protocol service 112. The second ticket is transmitted to thefirst protocol service 112 and is used to establish a secondcommunication session between the first protocol service 112 and thehost node 118.

In one embodiment, the web server 120 delivers web pages to the client108. The web server 120 can be any personal computer (e.g., Macintoshcomputer, a personal computer having an Intel microprocessor, developedby Intel Corporation of Santa Clara, Calif., a personal computer havingan AMD microprocessor, developed by Advanced Micro Devices, Inc. ofSunnyvale, Calif., etc.), Windows-based terminal, Network Computer,wireless device (e.g., cellular phone), information appliance, RISCPower PC, X-device, workstation, mini computer, main frame computer,personal digital assistant, or other communications device that iscapable of establishing the secure client-web server communicationchannel 140 with the client 108.

In another embodiment, the web server 120 provides a corporate portal,also referred to as an Enterprise Information Portal, to the client 108.Enterprise portals are company web sites that aggregate, personalize andserve applications, data and content to users, while offering managementtools for organizing and using information more efficiently. In otherembodiments, the web server 120 provides a web portal, or Internetportal, to the client 108. A web portal is similar to a corporate portalbut typically does not include business-specific information.

In one embodiment, a user of the client 108 employs the web browser 162to authenticate the user to the web server 120. In one embodiment, theclient 108 transmits user credentials, such as login and passwordinformation, to the web server 120. The web server 120 verifies that theuser has access to the server network 169.

In a further embodiment, the web browser 162 uses SSL to establish thesecure client-web server communication channel 140. The web browser 162can alternatively connect to the web server 120 over the client-webserver communication channel 140 using other security protocols, suchas, but not limited to, Secure Hypertext Transfer Protocol (SHTTP)developed by Terisa Systems of Los Altos, Calif., HTTP over SSL (HTTPS),Private Communication Technology (PCT) developed by MicrosoftCorporation of Redmond, Wash., and the Transport Level Security (TLS)standard promulgated by the Internet Engineering Task Force (IETF). Inone embodiment, the web server 120 transmits a web portal or enterpriseportal, as described above, to the client 108 upon validation of theuser to enable the client 108 to request an application or a serverdesktop, for example, to be remotely displayed on the client 108.

The client-web server communication channel 140 is any securecommunication channel. In some embodiments, communications over channel140 are encrypted. In certain of these embodiments, the client 108 andthe web server 120 may communicate using the Secure Socket Layer (SSL)of the HyperText Transfer Protocol (HTTPS). Alternatively, the client108 and the web server 120 may use other encryption techniques, such assymmetric encryption techniques, to protect communications.

Further, in one embodiment the client-first protocol servicecommunication channel 135 can be established by using, for example, apresentation services protocol such as Independent ComputingArchitecture (ICA) protocol, manufactured by Citrix Systems, Inc. ofFort Lauderdale, Fla. ICA is a general-purpose presentation servicesprotocol designed to run over industry standard network protocols, suchas TCP/IP, IPX/SPX, NetBEUI, using industry-standard transportprotocols, such as ISDN, frame relay, and asynchronous transfer mode(ATM). The ICA protocol provides for virtual channels, which aresession-oriented transmission connections that can be used byapplication-layer code to issue commands for exchanging data. In otherembodiments, the client-first protocol service communication channel 135can be established using the thin X protocol or the Remote DisplayProtocol (RDP), developed by Microsoft Corporation of Redmond, Wash.

Although described as establishing a first communication session betweenthe client 108 and the first protocol service 112 and a secondcommunication session between the first protocol service 112 and thehost node 118, the communication session can be viewed as a single,logical communication session between the client 108 and the hostservice 116.

Referring still to the illustrative embodiments of FIGS. 1A and 1B, theclient 108 is configured to establish a connection 135 between theclient 108 and a first protocol service 112 over the network 104 using afirst protocol. For its part, the first protocol service 112 isconfigured to accept the connection 135. The client 108 and the firstprotocol service 112 can, therefore, communicate with one another usingthe first protocol as described below in reference to FIGS. 2A-2B andFIG. 3.

As also described further below, the first protocol service 112 is, inone embodiment, itself configured to communicate using the firstprotocol. The first protocol service 112 is configured to establish aconnection 124 a-124 n between the first protocol service 112 and thehost service 116 a-116 n, respectively. For example, the first protocolservice 112 can establish a connection 124 a between the first protocolservice 112 and one host service 116 a and a connection 124 b betweenthe first protocol service 112 and another host service 116 b. In oneembodiment, the first protocol service 108 separately establishes suchconnections 124 a-124 n (i.e., the first protocol service 112establishes one connection at a time). In another embodiment, the firstprotocol service 112 simultaneously establishes two or more of suchconnections 124 a-124 n.

In yet another embodiment, the first protocol service 112 canconcurrently establish and maintain multiple connections 124 a-124 n.The first protocol service 112 is configured to provide two or moreconnections 124 a-124 n without interrupting the connection 135 with theclient 108. For example, the first protocol service 112 can beconfigured to establish the connection 124 a between the first protocolservice 112 and the host service 116 a when a user of the client 108requests execution of a first application program residing on the hostservice 116 a. When the user ends execution of the first applicationprogram and initiates execution of a second application programresiding, for example, on the host service 116 b, the first protocolservice 112 is, in one embodiment, configured to interrupt theconnection 124 a and establish the connection 124 b between the firstprotocol service 112 and the host service 116 b, without disrupting theconnection 135 between the first protocol service 112 and the client108.

The first protocol service 112 and the host services 116 a-116 n cancommunicate over the connections 124 a-124 n, respectively, using anyone of a variety of secondary protocols, including, but not limited to,HTTP, FTP, Oscar, Telnet, the ICA remote display protocol from CitrixSystems, Inc. of Fort Lauderdale, Fla., and/or the RDP remote displayprotocol from Microsoft Corporation of Redmond, Wash. For example, thefirst protocol service 112 and the host service 116 a can communicateover the connection 124 a using the ICA remote display protocol, whilethe first protocol service 112 and the host service 116 b cancommunicate over the connection 124 b using the RDP remote displayprotocol.

In one embodiment, the secondary protocol used for communicating betweenthe first protocol service 112 and a host service 116, such as, forexample, the ICA remote display protocol, includes a plurality ofvirtual channels. A virtual channel is a session-oriented transmissionconnection that is used by application-layer code to issue commands forexchanging data. For example, each of the plurality of virtual channelscan include a plurality of protocol packets that enable functionality atthe remote client 108. In one embodiment, one of the plurality ofvirtual channels includes protocol packets for transmitting graphicalscreen commands from a host service 116, through the first protocolservice 112, to the client 108, for causing the client 108 to display agraphical user interface. In another embodiment, one of the plurality ofvirtual channels includes protocol packets for transmitting printercommands from a host service 116, through the first protocol service112, to the client 108, for causing a document to be printed at theclient 108.

In another embodiment, the first protocol is a tunneling protocol. Thefirst protocol service 112 encapsulates a plurality of secondaryprotocols, each used for communication between one of the host services116 a-116 n and the first protocol service 112, within the firstprotocol. As such, the host services 116 a-116 n and the first protocolservice 112 communicate with the client 108 via the plurality ofsecondary protocols. In one embodiment, the first protocol is, forexample, an application-level transport protocol, capable of tunnelingthe multiple secondary protocols over a TCP/IP connection.

Referring to FIG. 2A, communications between the client 108 and thefirst protocol service 112 via the connection 135 take the form of aplurality of secondary protocols 200 a-200 n (e.g., HTTP, FTP, Oscar,Telnet, ICA, and/or RDP) encapsulated within a first protocol 204. Thisis indicated by the location of secondary protocols 200 a-200 n insidethe first protocol 204. Where secure communication is not called for,the first protocol 204 can be, as illustrated in FIG. 2A, communicatedover an unsecured TCP/IP connection 208.

Referring now to FIG. 2B, if secure communication is used, the firstprotocol 204 is communicated over an encrypted connection, such as, forexample, a TCP/IP connection 212 secured by using a secure protocol 216such as the Secure Socket Layer (SSL). SSL is a secure protocol firstdeveloped by Netscape Communication Corporation of Mountain View,Calif., and is now a standard promulgated by the Internet EngineeringTask Force (IETF) as the Transport Layer Security (TLS) protocol anddescribed in IETF RFC-2246.

Thus, the plurality of secondary protocols 200 a-200 n are communicatedwithin the first protocol 204 with (FIG. 2B) or without (FIG. 2A) asecure protocol 216 over the connection 135. The secondary protocolsthat can be used to communicate over the connections 124 a-124 ninclude, but are not limited to, HTTP, FTP, Oscar, Telnet, ICA, and RDP.Moreover, in one embodiment, at least one of the secondary protocols, asdescribed above, includes a plurality of virtual channels, each of whichcan include a plurality of protocol packets enabling functionality atthe remote client 108. For example, in one embodiment, one host service116 a is a web server, communicating with the first protocol service 112over the connection 124 a using the HTTP protocol, and another hostservice 116 b is an application server, communicating with the firstprotocol service 112 over the connection 124 b using the ICA protocol.The host service 116 b generates both protocol packets for transmittinggraphical screen commands to the client 108, for causing the client 108to display a graphical user interface, and protocol packets fortransmitting printer commands to the client 108, for causing a documentto be printed at the client 108.

Another aspect of the present invention is the method and systemsdescribed herein reduce the number of times network connections areopened and closed. In one embodiment, the first protocol 204 allows thesecondary protocol connections 200 a-200 n tunneled therein, such as,for example, an HTTP connection 200 n, to be opened and/or closed,repetitively, without also requiring the transport connection over whichthe first protocol 204 is communicated (e.g., TCP connection 208 and/or212), the secure protocol connection 216, or the first protocolconnection 204 itself to similarly be repetitively opened and/or closed.Without the encapsulation of the first protocol 204, the secondaryprotocol 200 a-200 n may frequently open and close network connections,such as TCP connections. This would add significant delays and overheadto the system. These delays and overhead would be further increased bythe use of a secure encapsulation protocol 214, such as SSL, which havesignificant overhead in establishing network connections. Byencapsulating the secondary protocol 200 a-200 n within the firstprotocol 204 and maintaining the connection of the transport connection(208, 212), the secondary protocols 200 a-200 n, as part of the payloadof the first protocol 204, do not need to perform frequent and costlyopen and closes of the network connection 135. Furthermore, since thesecondary protocols 200 a-200 n can be communicated within the firstprotocol 204 with a secure protocol 216, the secondary protocols 200a-200 n also do not need to open and close secured connections such aswith SSL. The transport connection (208, 212) establishes and maintainsthe network connection 135 so that the encapsulated second protocols 200a-200 n can be communicated without repetitively opening and closing thesecured or unsecured network connection 135. This significantlyincreases the speed of operation in communicating the secondaryprotocols 200 a-200 n.

As described above, the secondary protocols 200 a-200 n carry protocolpackets related to applications using such protocols as HTTP, FTP,Oscar, Telnet, RDA or ICA. The secondary protocol packets 304 a-304 ntransport data related to the application functionality transactedbetween the client 108 and the host service 116 a-116 n. For example, auser on the client 108 may interact with a web page provided by a hostservice 116 a-116 n. In transactions between the client 108 and the hostservice 116 a-116 n, the secondary protocol 200 a-200 n encapsulated inthe first protocol 204 may have http protocol packets related todisplaying the web page and receiving any user interaction tocommunicate to the host service 116 a-116 n. Since the transportconnection (208, 212) is not maintained by the secondary protocols 200a-200 n, the secondary protocols 200 a-200 n do not need to handle anynetwork-level connection interruptions. As such, the secondary protocols200 a-200 n may not provide any network-level connection interruptioninformation in their payloads. In the above example, the http relatedsecondary protocol packets 304 a-304 n of the secondary protocol 200a-200 n transmitted to the client 108 would not provide a notificationthat a network interruption occurred, e.g., an error message on a webpage. Therefore, the user on the client 108 will not be notified of anynetwork-level connection interrupts through the secondary protocol 200a-200 n. This effectively hides the network connection interruptionsfrom the user during the use of the applications related to thesecondary protocols 200 a-200 n.

Referring to FIG. 3, an example process 300 used by the first protocolservice 112 and the client agent 128 of the client 108 encapsulates theplurality of secondary protocols 200 (e.g., HTTP, FTP, Oscar, Telnet,ICA, and/or RDP) within the first protocol 204 for communication via theconnection 135. Optionally, as described below, the example process 300used by the first protocol service 112 and the client agent 128 of theclient 108 also compresses and/or encrypts the communications at thelevel of the first protocol prior to communications via the connection135. From the point of view of the first protocol service 112, secondaryprotocol packets 304 a-304 n are received via the connections 124 a-124n at the first protocol service 112. For example, two secondary protocolpackets 304 a and 304 b are received by the first protocol service 112.One, two, or any number of secondary protocol packets 304 a-304 n can bereceived. In one embodiment, the secondary protocol packets 304 a-304 nare transmitted by the host services 116 to the first protocol service112 over the connection 124. The secondary protocol packets 304 a-304 ninclude a header 308 and a data packet 312, also referred to as a datapayload.

Following receipt of the secondary protocol packets 304 a-304 n, thefirst protocol service 112 encapsulates one or more of the secondaryprotocol packets 304 within a first protocol packet 316. In oneembodiment, the first protocol service 112 generates a first protocolpacket header 320 and encapsulates within the data payload 324 of thefirst protocol packet 316 one or more secondary protocol packets 304a-304 n, such as, for example, two secondary protocol packets 304 a and304 b. In another embodiment, only one secondary protocol packet 304 ais encapsulated in each first protocol packet 316.

In one embodiment, the first protocol packets 316 are then transmittedover the connection 135, for example over the connection 208 describedwith reference to FIG. 2A, to the client agent 128 of the client 108.Alternatively, in another embodiment, the first protocol service 112 isfurther configured to encrypt, prior to the transmission of any firstprotocol packets 316, communications at the level of the first protocol204. In one such embodiment, the first protocol packets 316 areencrypted by using, for example, the SSL protocol described withreference to FIG. 2B. As a result, a secure packet 328, including aheader 332 and an encrypted first protocol packet 316′ as a data payload336, is generated. The secure packet 328 can then be transmitted overthe connection 135, for example over the secure TCP/IP connection 212illustrated in FIG. 2B, to the client agent 128 of the client 108.

In another embodiment, the first protocol service 112 is furtherconfigured to compress, prior to the transmission of any first protocolpackets 316, communications at the level of the first protocol 204. Inone embodiment, prior to encrypting the first protocol packet 316, thefirst protocol service 112 compresses, using a standard compressiontechnique, the first protocol packet 316. As such, the efficiency of thesystem 100 is improved.

Referring again to FIGS. 1A-1B, the system 100 of the present invention,in one embodiment, provides the remote client 108 with a persistentconnection to a host service 116, such as, for example, the host service116 a. For example, if the client 108 establishes a connection 135between the client 108 and the first protocol service 112 and the firstprotocol service 112 establishes a connection 124 a between the firstprotocol service 112 and the host service 116 a, then either the clientagent 128, the first protocol service 112, or both are configured tomaintain a queue of the first protocol data packets most recentlytransmitted via the connection 135. For example, the queued data packetscan be maintained by the client agent 128 and/or the first protocolservice 112 both before and upon a failure of the connection 135.Moreover, upon a failure of the connection 135, the first protocolservice 112 and, likewise, the host service 116 a are configured tomaintain the connection 124 a.

Following a failure of the connection 135, the client 108 establishes anew connection 135 with the first protocol service 112, without losingany data. More specifically, because the connection 124 a is maintainedupon a failure of the connection 135, a newly established connection 135can be linked to the maintained connection 124 a. Further, because themost recently transmitted first protocol data packets are queued, theycan again be transmitted by the client 108 to the first protocol service112 and/or by the first protocol service 112 to the client 108 over thenewly established connection 135. As such, the communication sessionbetween the host service 116 a and the client 108, through the firstprotocol service 112, is persistent and proceeds without any loss ofdata.

In one embodiment, the client agent 128 of the client 108 and/or thefirst protocol service 112 number the data packets that they transmitover the connection 135. For example, each of the client agent 128 andthe first protocol service 112 separately numbers its own transmitteddata packets, without regard to how the other is numbering its datapackets. Moreover, the numbering of the data packets can be absolute,without any re-numbering of the data packets, i.e., the first datapacket transmitted by the client agent 128 and/or the first protocolservice 112 can be numbered as No. 1, with each data packet transmittedover the connection 135 by the client agent 128 and/or the firstprotocol service 112, respectively, consecutively numbered thereafter.

In one such embodiment, following a disrupted and re-establishedconnection 135, the client agent 128 and/or the first protocol service112 informs the other of the next data packet that it requires. Forexample, where the client agent 128 had received data packets Nos. 1-10prior to the disruption of connection 135, the client agent 128, uponre-establishment of the connection 135, informs the first protocolservice 112 that it now requires data packet No. 11. Similarly, thefirst protocol service 112 can also operate as such. Alternatively, inanother such embodiment, the client agent 128 and/or the first protocolservice 112 informs the other of the last data packet received. Forexample, where the client agent 128 had received data packets Nos. 1-10prior to the disruption of connection 135, the client agent 128, uponre-establishment of the connection 135, informs the first protocolservice 112 that it last received data packet No. 10. Again, the firstprotocol service 112 can also operate as such. In yet anotherembodiment, the client agent 128 and/or the first protocol service 112informs the other, upon re-establishment of the connection 135, of boththe last data packet received and the next data packet it requires.

In such embodiments, upon re-establishment of the connection 135, theclient agent 128 and/or the first protocol service 112 can retransmitthe buffered data packets not received by the other, allowing thecommunication session between a host service 116 and the client 108,through the first protocol service 112, to proceed without any loss ofdata. Moreover, upon re-establishment of the connection 135, the clientagent 128 and/or the first protocol service 112 can flush from each oftheir respective buffers the buffered data packets now known to bereceived by the other.

Although buffering data for a persistent connection is generallydiscussed in terms of a single first protocol service 112, the databuffering and re-connection techniques discussed above also apply in asimilar manner to a client's communication session with a host service116 that traverse multiple first protocol services 112. One or more ofthe additional first protocol service 112 may buffer a portion or all ofthe data traffic between the client 108 and the host service 116. Inanother embodiment, a first protocol service 112 managing one of the“hops” between a client and the host service 116 may buffer the datasent to and received from that “hop.” As such, one or more of the firstprotocol services 112 may be used for re-transmitting data packets uponre-establishment of a disrupted connection between the client 108 andthe host service 116.

By providing the client 108 with a reliable and persistent connection toa host service 116 a-116 n, the present invention avoids the process ofopening a new user session with the host service 116 a-116 n bymaintaining the user session through network connection interruptions.For each user session with a host service 116 a-116 n, the client 108and the host service 116 a-116 n may maintain session specific contextand caches, and other application specific mechanisms related to thatinstance of the user session. For each new user session established,these session specific context and caches need to be re-populated orre-established to reflect the new user session. For example, a user onthe client 108 may have an http session with a host service 116 a-116 n.The host service 116 a-116 n may keep context specific to providing thisinstance of the http session with the client 108. The context may bestored in the memory of the server, in files of the server, a databaseor other component related to providing the functionality of the hostservice 116 a-116 n. Also, the client 108 may have local contextspecific to the instance of the http session, such as a mechanism forkeeping track of an outstanding request to the host service 116 a-116 n.This context may be stored in memory of the client 108, in files on theclient 108, or other software component interfaced with the client 108.If the connection between the client 108 and the host service 116 a-116n is not persistent, then a new user session needs to be establishedwith new session specific context on the host service 116 a-116 n andthe client 108. The present invention maintains the session so that anew session, and therefore new specific session context, does not needto be re-established.

The present invention maintains the user session through network levelconnection interruptions and without notification to the user of theclient that the session was interrupted. In operation of this aspect ofthe invention, the first protocol service 112 establishes and maintainsa first connection with a client 108 and a second connection with a hostservice 116 a-116 n. Via the first connection and the second connection,a session between the client 108 and the host service 116 a-116 n isestablished. The first protocol service 112 can store and maintain anysession related information such as authentication credentials, andclient 108 and host service 116 a-116 n context for the establishedsession. A user on the client 108 will exercise the functionalityprovided by the host service 116 a-116 n through the establishedsession. As such, related secondary protocol packets 304 a-304 n willcontain data related to the transaction of such functionality. Thesesecondary protocol packets 304 a-304 n as part of the secondary protocol200 a-200 n are encapsulated and communicated in a first protocol 204.Upon detection of a disruption in either the first connection or thesecond connection, the first protocol service 112 can re-establish thedisrupted connection while maintaining the other connection that mayhave not been disrupted. The network connection disruption may cause aninterruption to the session between the client 108 and the host service116 a-116 n. However, since the transport mechanism is not maintained bythe secondary protocols 200 a-200 n, the session can be re-establishedafter the network connection is re-established without the user on theclient 108 having notification that the session was interrupted. Thesecondary protocol 200 a-200 n does not need to contain any interruptionrelated information to transmit to the client 108. Thus, theinterruption of the session caused by the network connection disruptionis effectively hidden from the user because of the encapsulation of thefirst protocol 204.

The first protocol service 112 maintaining session related informationcan re-establish the session between the client 108 and the host service116 a-116 n. For example, if the first connection between the client 108and the first protocol service 116 is disrupted, the first protocolservice 112 can keep the client's 108 session active or open between thefirst protocol service 112 and the host service 116 a-116 n. After thefirst connection is re-established, the first protocol service 112 canlink the session of the client 108 to the maintained session between thefirst protocol service 112 and the host service 116. The first protocolservice 112 can send to the client 108 any data that was queued prior tothe disruption in the first connection. As such, the client 108 will beusing the same session prior to the disruption, and the host service 116a-116 n and client 108 can continue to use any session specific contextthat may have in memory or stored elsewhere. Furthermore, because of theintermediary of the first protocol service 112, the host service 116a-116 n may not be aware of the network disruption between the firstprotocol service 112 and the client 108.

In another example, if the second connection between the first protocolservice 112 and the host service 116 a-116 n is disrupted, the firstprotocol service can maintain the first connection with the client 108while re-establishing the second connection with the host service 116a-116 n. After re-establishing the second connection, the first protocolservice 112 can re-establish the client's session, on behalf of theclient, with the host service 116 a-116 n. Since the first protocolservice 112 was maintaining any session relation information, the firstprotocol service may re-establish the same session or a similar sessionso that the client 108 is not aware of the disruption in the secondnetwork connection and the resulting disruption to the session betweenthe first protocol service 112 and the host service 116 a-116 n. Duringre-establishing the second network connection and the session, the firstprotocol service 112 can queue any session transactions sent by theclient 108 during the disruption. Then, after re-establishing thesession with the host service 116 a-116 n, the first protocol service112 can transmit the queued transactions to the host service 116 a-116 nand the session can continue normally. In this manner, the client 108continues to operate as if there was not an interruption to the session.

Additionally, by providing a reliable and persistent connection, thepresent invention also avoids interruptions to transactions, commands oroperations as part of the functionality exercised between the client 108and a host node 118, or a host service 116 a-116 n. For example, a filecopy operation using Windows Explorer has not been designed to continueworking after there is a disruption in a network connection. A user onthe client 108 may use the file copy feature of Windows Explorer to copya file from the client 108 to a host node 118. Because of the size ofthe file or files, this operation may take a relatively extended periodof time to complete. If during the middle of the operation of the copyof the file to the host node 118, there is an interruption in thenetwork connection between the client 108 and the host node 118, thefile copy will fail. Once the network connection is re-established, theuser will need to start another file copy operation from WindowsExplorer to copy the file from the client 108 to the host node 118.Under the present invention, the user would not need to start anotherfile copy operation. The network connection would be re-established aspart of the first protocol 204 connection. The file copy operationswould be encapsulated in the payload of the secondary protocols 200a-200 n. As such, the file copy of Windows Explorer would not getnotified of the interruption in the network connection and therefore,would not fail. The first protocol service 112 would re-establish anyconnections and transmits any queued data so that operation can continuewithout failure. The first protocol service 112 would maintain a queueof the data related to the file copy operations that has not beentransferred to the host node 118 because of the interruption in thenetwork connection. Once the network connection is re-established, thefirst protocol service 112 can transmit the queued data and thencontinue on with transferring the data related to the file copyoperation in due course.

Although this aspect of the invention is described in terms of a filecopy operation example, one ordinarily skilled in the art will recognizethat any operation, transaction, command, function call, etc. transactedbetween the client 108 and the host node 118, or host service 116 a-116n, can be maintained and continued without failure from the networkconnection disruption, and, furthermore, without the client 108recognizing there was a disruption or having notice of the disruption.

Furthermore, by providing a reliable and persistent connection, thepresent invention also enables a client 108 to traverse throughdifferent network topologies without re-starting a session or anapplication on the client 108. For example, the client 108 may be acomputer notebook with a wireless network connection. As the client 108moves from a first wireless network to a second wireless network, theclient's network connection 135 may be temporarily disrupted from thefirst wireless network as a network connection is established with thesecond wireless network. The second wireless network may assign a newnetwork identifier, such as a host name or internet protocol address, tothe client 108. This new network identifier may be different than thenetwork identifier assigned to the client 108 by the first wirelessnetwork. In another example, the client 108 may be physically connectedthrough an Ethernet cable to a port on the network. The physicalconnection may be unplugged and the client 108 moved to another locationto plug into a different port on the network. This would cause adisruption into the network connection 135 and possible a change in theassigned network identifier. Without the present invention, any sessionswith a host service 116 a-116 n on the client 108 or application on theclient 108 accessing the network may need to be restarted due to thechange in the network topology, the disruption to the network connection135, and/or the change in the assigned network identifier. By the methodand systems described herein, the present invention maintains thenetwork connection for the client and automatically re-established theclient's 108 network connection including handling changes in thenetwork topology and network identifier. The client 108, and anyapplications or sessions on the client 108, can continue to operate asif there was not a network connection disruption or a change in thenetwork identifier. Furthermore, the user on the client 108 may notrecognize there were any interruptions or changes, and the client 108may not receive any notice of such interruptions.

In another aspect, the present invention relates to securelyestablishing a communication session between the client 108 and the hostservice 116 via multiple connections or “hops” that traverse multiplenetwork components, such as a proxy, security gateway, firewall orrouter. The establishment of the multiple hop secure communicationsession may further be initiated via a secure client-web servercommunication channel 140, for example, between the web browser 162 andthe web server 120 using SSL. The ticket authority 136 can providetickets for each of the hops such as the client-first protocol serviceconnection 135 and the first protocol service to host serviceconnections 124 a-124 n. In this manner, the client 108 is authenticatedthrough all the connections between the client 108 and the host service116 a-116 n.

In operation, and also referring to FIG. 4, the client user requests(step 400) content (e.g., an application, a server desktop) to beremotely displayed on the client 108 (i.e., the ICA client 128). Inanother embodiment, the client 108 uses the web browser 162 to requestan application and the web server 120 then authenticates the user. Afterreceiving the request, the web server 120 validates (step 405) therequest with the ticket authority 136. The ticket authority 136 thengenerates (step 410) a ticket, which includes a first ticket, or clientticket, and a second ticket, or first protocol service ticket. The firstand second tickets are “one-time use” tickets having no further valueafter their first use. In a further embodiment, the first and secondtickets must be used within a predetermined time period.

In one embodiment, the ticket authority 136 stores the first and secondtickets in memory (e.g., RAM) until the ticket is used. Alternatively,the ticket authority 136 stores the first and second tickets in astorage device (not shown) until the ticket is used. The storage devicemay include, for example, a database or a persistent memory (e.g., on afloppy disk, hard disk drive). The ticket authority 136 subsequentlytransmits (step 415) the client ticket to the web server 120 and the webserver 120 then forwards (step 420) the client ticket to the client 108.

The client 108 then initiates (step 425) a communication session withthe first protocol service 112 by transmitting a proxy connectionrequest over the client-first protocol service communication channel135. The proxy connection request includes the client ticket. In oneembodiment, the proxy connection request also includes a dummy passwordthat can be replaced by the first protocol service 112 when establishinga communication session with the host node 118. In a further embodiment,the web server 120 transmits the dummy password to the client 108 forfuture generation of a proxy connection request having a formatacceptable to the first protocol service 112. The first protocol service112 then extricates (step 430) the client ticket from the proxyconnection request and forwards the client ticket to the ticketauthority 136 for validation. The ticket authority 136 then validates(step 435) the first ticket. In one embodiment, the ticket authority 136verifies the first ticket by searching its storage device (e.g.,database) for the first expected ticket.

If the ticket authority 136 does not find the first ticket in thestorage device (such as if the first ticket has been used already), theticket authority 136 ends the communication session. If the receivedticket matches the client ticket that the ticket authority 136 expects,the client ticket is validated. The ticket authority 136 then transmits(step 440) the second or first protocol service ticket to the firstprotocol service 112. Additionally, the ticket authority 136 deletes theclient ticket from the storage device, as the client ticket has now beenused once. In another embodiment, the ticket authority 136 alsotransmits the Internet protocol (IP) address of the host node 118 to thefirst protocol service 112. In yet another embodiment, the ticketauthority 136 transmits the domain name of the host node 118 to thefirst protocol service 112 for future conversion into the IP address.

The first protocol service 112 receives the second ticket, or the firstprotocol service ticket, and subsequently opens communications acrossthe proxy-server communication channel 145 by transmitting (step 445)the second ticket to the host node 118. The host node 118 receives thefirst protocol service ticket and then transmits the ticket over theticket-server communication channel 157 to the ticket authority 136 forvalidation (step 447). In one embodiment, if the ticket authority 136determines that the first protocol service ticket received from the hostnode 118 has been used previously or does not have the correct value(i.e., the same value as the value stored in the associated storagedevice), the ticket authority 136 transmits an error message to thefirst protocol service 112 (or the web server 120) to terminate theestablished communication session with the client 108. If the ticketauthority 136 validates the first protocol service ticket (step 448),the host node 118 then launches (step 450) the ICA publishedapplication. The host node 118 then transmits application information tothe first protocol service 112 (step 453) for remote displaying of theapplication on the client 108 (step 455) using the ICA client 128.

In a further embodiment, the client 108 launches the ICA client 128 wheninitiating communications with the first protocol service 112 in step425. In other embodiments, the client 108 launches the ICA client 128when the client 108 receives the application information from the firstprotocol service 112 in step 453.

Thus, the client 108 is not aware of the first protocol service ticketbut only the client ticket. Moreover, the ICA client 128 cannot accessthe host node 118 without communicating with the first protocol service112 and presenting the client ticket.

The ticket authority 136 could also transmit the first protocol serviceticket to the first protocol service 112 in step 440 as the userpassword for the user of the client 108. This allows the first protocolservice 112 to use the first protocol service ticket as the loginpassword to gain access to the host node 118 without exposing the user'slogin password over the untrusted part of the web (i.e., the non-secureclient-first protocol service communication channel 135 during step425). Thus, in one embodiment, the communications system 100 couldinclude a centralized password mapping database managed by the ticketauthority 136 and co-located with the host node 118 to map the firstprotocol service ticket with a user's password.

Therefore, the password can accompany both tickets (i.e., the firstprotocol service ticket and the client ticket) or the password canaccompany one of the two tickets. As described above, if the passwordaccompanies one of the two tickets, such as the client ticket, then thefirst protocol service ticket is the password. In one embodiment, thepassword can be a system password that does not change in value or maybe a one-time use password, such as those generated by SecurID tokensdeveloped by RSA Security Inc. of Bedford, Mass.

Additionally, the invention can be expanded to a communications systemhaving any number of first protocol services 112, or “hops”, that theclient 108 has to communicate with before establishing a communicationsession with the host node 118. Although described in relation to afirst protocol service 112, a hop can comprise any network component,such as a proxy 115, firewall, router, and relay.

For instance and referring to FIG. 5A, a four-hop example is acommunication system 505 having a first protocol service 112′ with aproxy 115′, a second first protocol service 112″ with a proxy 115″, anda third first protocol service 112′″ with a proxy 115′″ (generally 115).The first protocol services 112 with proxies 115 communicate over aproxy-proxy communication channel, such as a first proxy-proxycommunication channel 510′ and a second proxy-proxy communicationchannel 510″ (generally proxy-proxy communication channel 510). Theclient 108 communicates with the first protocol service 112′ whichcommunicates with the second first protocol service 112″. In turn, thesecond first protocol service 112″ communicates with the third firstprotocol service 112′″ and then the third first protocol service 112′″communicates with the host node 118 over the proxy-server communicationchannel 145 to establish the communication session with the host node118. Furthermore, although the embodiment described above includes aticket having a client ticket and a first protocol service ticket,another embodiment includes the ticket comprising numerous tickets.

More explicitly and also referring to FIG. 5B, the web server 120receives a request from the client 108 for an application and the webserver 120 validates the request with the ticket authority 136 (step405). The ticket authority 136 then generates an N part ticket (e.g., T₁to T_(N)) in step 410. In one embodiment, the ticket authority 136 thentransmits a portion T_(i) of the N part ticket (e.g., the first part ofthe ticket, or first ticket T₁) to the web server 120 (step 415). Theweb server 120 then transmits the ticket T₁ to the client 108 (step420). In one embodiment, the ticket authority 136 also transmits theaddress of the next “hop” (e.g., the first protocol service 112′) to theweb server 120, which then transmits the address to the client 108. Thisaddress is the address of the next hop (e.g., first protocol service112) that this hop (e.g., client 108) needs to communicate with for theclient 108 to eventually be authenticated to the host node 118.

The client 108 uses the address to then contact the next “hop” (e.g.,first protocol service 112′) and initiates a communication session withthe 1st first protocol service 112′ by transmitting a proxy connectionrequest over the client-first protocol service communication channel135. The first protocol service 112′ then extracts (step 530) the firstticket T₁ from the proxy connection request and forwards this ticket tothe ticket authority 136 for validation. The ticket authority 136 thenvalidates (step 535) the first ticket T₁.

Upon proper verification of the first ticket T₁, the ticket authority136 transmits the next ticket T_(i) from the N part ticket (e.g., T₂) tothe next first protocol service 112 (e.g., first protocol service 112′)(step 540). In some embodiments, the ticket authority 136 also transmitsthe address of the next hop (e.g., the second first protocol service112′″) to this hop (e.g., the first protocol service 112′). The firstprotocol service 112′ transmits this ticket to the next hop (e.g., thesecond first protocol service 112″) (step 545). In one embodiment, thesecond first protocol service 112″ verifies T₂ by transmitting theticket to the ticket authority 136 (step 550). The ticket authority 136validates the second ticket T₂ (step 555) and the process continues, asshown in steps 560 through 575. Once the last part of the N part tickethas been validated, steps 450 through 455 occur, as shown in FIG. 4, tolaunch the application on the client 108.

In one embodiment, each first protocol service 112 (i.e., each hop)validates T_(i) (e.g., T₂) with a ticket authority 136 associated withthe first protocol service 112 (i.e., hop). In this embodiment, aftereach first protocol service 112 validates the ticket T_(i) (e.g., T₂)with a ticket authority 136, the ticket authority 136 at which thevalidation took place transmits the next ticket T_(i+1) (e.g., T₃) andthe address of the next first protocol service 112 (i.e., the next “hop”destination) to the first protocol service 112 that had validated theticket T_(i). Thus, each first protocol service 112 is associated with aticket authority 136 that has been configured with the current and nexthop tickets (i.e., validating T_(i) and transmitting T_(i+1) for thenext hop). Consequently, the next first protocol service 112 acts as theclient for that hop. This process is repeated until reaching the hostnode 118 in the communications system 505. Thus, each hop has beenvalidated individually without revealing all of the ticket to any onehop.

In other embodiments, the ticket authority 136 may issue more than oneticket rather than issuing one ticket having many parts. For example,the ticket authority 136 generates a first hop ticket and a second hopticket in step 510, where the first hop ticket has no association withthe second hop ticket. The ticket authority 136 subsequently transmitsthe first hop ticket to the web server 120 and the web server 120transmits the first hop ticket to the client 108. The client 108transmits this first hop ticket to the first protocol service 112 (e.g.,first protocol service 112′) for validation by the ticket authority 136.Upon validation in step 535, the ticket authority 136 transmits in step540 the second hop ticket to the next first protocol service 112 (e.g.,second first protocol service 112″) while the first hop ticket isindependent from the second hop ticket.

In a further embodiment, one or more of the ticket authorities 136provides the proxies 115, either as part of the first protocol service112 or separated from the first protocol service 112, with any necessaryinformation needed to connect to the next hop, such as, but withoutlimitation, encryption keys, SSL method configuration information, andauthentication information to connect to a SOCKS server (e.g., SOCKS5server, developed by NEC Corporation of Tokyo, Japan).

In yet another embodiment, a ticket authority 136 only generates asingle ticket. The ticket authority 136 transmits the single ticket tothe web server 120. The web server 120 forwards the single ticket to theclient 108. The first protocol service 112 subsequently receives theticket from the client 108 and “consumes” the single ticket uponvalidation. As a result, the communications system 100 can use a singleticket to provide the ability to use arbitrary communication protocolsover the client-proxy communication channel 135 and the client-webserver communication channel 140. Additionally, because the host node118 does not receive or verify the single ticket, the ticket istransparent to the host node 118 and, consequently, the host node 118 isnot “aware” of the use of the ticket.

By exploiting the security of the secure communications between theclient 108 and the web server 120 over the secure client-web servercommunication channel 140, the communications system 505 establishes asecure communication link over the non-secure client-proxy communicationchannel 135 to remotely display desktop applications securely on theclient 108.

In yet another embodiment and referring again to FIG. 4, the ticketauthority 136 transmits in step 415 a disabled version of the firstprotocol service ticket with the client ticket to the web server 120 fortransmission to the client 108. The client 108 subsequently transmits(step 425) the first protocol service ticket along with the clientticket to the first protocol service 112 as part of the proxy connectionrequest. The first protocol service 112 then forwards both tickets tothe ticket authority 136. Upon receiving a disabled first protocolservice ticket, the ticket authority 136 enables the first protocolservice ticket after validating the client ticket. The ticket authority136 then transmits the enabled first protocol service ticket to thefirst protocol service 112 for authentication to the host node 118.

Alternatively, in another embodiment the web server 120 receives adisabled first protocol service ticket and an enabled client ticket fromthe ticket authority 136 and only transmits the client ticket to theclient 108. The client 108 transmits (step 425) the client ticket to thefirst protocol service 112 as part of the proxy connection request. Thefirst protocol service 112 then forwards the client ticket to the ticketauthority 136. The ticket authority 136 validates the client ticket and,upon validation, enables the first protocol service ticket previouslytransmitted to the web server 120. In yet another embodiment, the ticketauthority 136 transmits an enabled first protocol service ticket to theweb server 120 upon validation of the client ticket for authenticationto the host node 118.

Thus, at any given time, the ticket authority 136 provides only oneticket that is enabled to the client 108 or first protocol service 112that the ticket authority 136 can validate. The ticket authority 136 mayprovide another ticket that can't be validated (i.e., a disabled ticket)until the enabled ticket is validated. Alternatively, the ticketauthority 136 may not transmit the first protocol service ticket to thefirst protocol service 112 until the ticket authority 136 validates theenabled ticket. As discussed in further detail below, this enforcesnetwork routing of communications using the communications system 505because the client 108 cannot traverse the web server 120 or the firstprotocol service 112 without having the ticket authority 136 validatethe enabled ticket and transmit the ticket needed to communicate withthe host node 118.

In another embodiment, instead of transmitting the first protocolservice ticket to the first protocol service 112 as in step 440, theticket authority 136 transmits the first protocol service ticket to theweb server 120 directly over the web server-authority communicationchannel 250. The web server 120 then automatically transmits the firstprotocol service ticket to the host node 118. In other words, the webserver 120 “pushes” the first protocol service ticket to the host node118. The ticket authority 136 can also push the first protocol serviceticket to the host node 118 without transmission of the first protocolservice ticket to the first protocol service 112 or the web server 120.

In yet another embodiment, the host node 118 retrieves the firstprotocol service ticket from the ticket authority 136 over theticket-content server communication channel 157. In other words, thehost node 118 “pulls” the first protocol service ticket from the ticketauthority 136. The above examples are illustrations of techniques usedto eliminate step 345 (while modifying the destination of thetransmission in step 440).

Moreover, the invention enforces the routing of the client 108 throughthe first protocol service 112. As stated above, the client 108 has topossess the first protocol service ticket to establish a communicationsession with the host node 118. More specifically, to establish aconnection with the host node 118, the web server 120 first has tovalidate the request of the client 108 with the ticket authority 136.Once validated, the client 108 obtains the first ticket and transmitthis first ticket to the ticket authority 136 for validation. However,upon validation, the ticket authority 136 transmits the first protocolservice ticket back to the first protocol service 112 rather than theclient 108. The communication session between the client 108 and thehost service 116 is established when the host service 116 receives thefirst protocol service ticket. Thus, the client 108 has to communicatewith the first protocol service 112 in order to have the first protocolservice ticket transmitted to the host service 116, thereby enforcingthe routing of the client 108 through the first protocol service 112.Thus, the invention can ensure the proper traversal of a security device(e.g., the first protocol service 112) before granting access to thehost node 118.

For example, a host node 118 executes several applications, such asMICROSOFT WORD and MICROSOFT EXCEL, both developed by MicrosoftCorporation of Redmond, Wash. In one embodiment, the client 108 usesNFUSE, developed by Citrix Systems, Inc. of Fort Lauderdale, Fla., toobtain information from the server farm 169 on which applications can beaccessed by the client 108. If a client user wants to access and useMICROSOFT WORD, the client 108 requests the application from the webserver 120. However, only users who pay an application fee for MICROSOFTWORD can become authorized to access the application.

To ensure the payment of the application fee, the communications system505 includes the first protocol service 112 and the ticket authority 136to enforce the routing of the client 108 through the first protocolservice 112. The routing of the client 108 through the first protocolservice 112 is valuable to the application provider if the firstprotocol service 112 is used to collect the application fee andauthorize the user for access to the application.

The ticket authority 136 subsequently generates a ticket associated withthe request for the application. An enabled first ticket is thentransmitted to the client 108. Because the client 108 does not have theaddress of the host node 118, the client 108 cannot access theapplication. Further, the client 108 has not been authorized by thefirst protocol service 112 yet (i.e., has not yet paid). Thus, theclient 108 has to communicate with the first protocol service 112 tobecome authorized. The first protocol service 112 can then transmit theenabled first ticket to the ticket authority 136 upon payment of theapplication fee.

The ticket authority then validates the client ticket and subsequentlytransmits (or enables) a first protocol service ticket to the proxy 115.The first protocol service 112 then transmits the first protocol serviceticket to the host node 118 (e.g., assuming the client user has paid theapplication fee), which enables the host node 118 to transmit theapplication to the client 108. The communications system 505 may alsouse Application Launching And Embedding (ALE) technology, developed byCitrix Systems, Inc., to enable the launching of the application from orthe embedding of the application into an HTML page for delivery to theclient 108.

In another aspect, the present invention is directed towardsreconnecting a client 108 to a host service 116 and re-authenticatingthe connections or “hops” between the client 108 and the host service116. FIG. 6A depicts another illustrative embodiment of a system 600that is capable of re-connecting the client 108 to a host service 116.In addition to the networks 104 and 104′, the client 108, the firstprotocol service 112, and the host services 116, all of which aredescribed above, the system 600 further includes an intermediary node632, and a ticket authority 136. In one embodiment, the intermediarynode 632 is a security gateway, such as, for example, a firewall and/ora router, through which messages between the client 108 and the firstprotocol service 112 must pass due to the configuration of the network104. Additionally, the intermediary node 632 may comprise the proxy 115of the first protocol service 112, either with or without the firstprotocol service 112. The ticket authority 136 can be, as illustrated, astand-alone network component that is capable of communication and thathas sufficient processor power and memory capacity to perform theoperations described herein.

As shown in the illustrative embodiment of FIG. 6A, the intermediarynode 632 is configured to accept a connection 135 a initiated by theclient 108 and to establish a second connection 135 b with the firstprotocol service 112. Together, the connection 135 a and the secondconnection 135 b constitute the connection 135, described above, overwhich the client 108 and the first protocol service 112 communicateusing the first protocol.

The intermediary node 632, as shown, is also configured to communicatewith the ticket authority 136. In one embodiment, the ticket authority136 is configured to receive a request for a first re-connection ticketfrom the intermediary node 632 and to thereafter generate the firstre-connection ticket. The first re-connection ticket can include, forexample, a large random number. In another embodiment, the ticketauthority 136 is configured to receive a request for a firstre-connection ticket for each of the “hops” between the client and hostservice 116. For example, the intermediary node 632 may requestre-connection tickets for the connection between the client 108 and theintermediary node 632, between the intermediary node 632 and the firstprotocol service 112, and between the first protocol service 112 and thehost service 116. These re-connection tickets may only be valid for eachof the “hops”. For example, a first re-connection ticket for the firstprotocol service 112 to host service 116 connection is valid only forauthenticating the first protocol service 112 to the host service 116 onbehalf of the client 108.

In another embodiment, the ticket authority 136 is configured togenerate a handle. The handle can be, for example, a random number thatis associated with (e.g., mapped to) the first re-connection ticket. Inone embodiment, the handle is a smaller random number than the randomnumber forming the first re-connection ticket. For example, the handlemay be a 32-bit random number. In a further embodiment, the handleassociated with a ticker or a re-connection ticket is an address of orpointer to the next “hop” in the multiple-hop connection between theclient 108 and the host service 116. In this case, a ticket orre-connection ticket is validated for a single “hop” with a pointer tothe next “hop”. The next “hop” will need to obtain and validate adifferent ticket or re-connection ticket and so forth until the last“hop” is validated and connected to the host service 116 on behalf ofthe client 108.

The ticket authority 136 transmits the first re-connection ticket andthe handle to the intermediary node 632, while keeping a copy of thefirst re-connection ticket and a copy of the handle. The copy of thefirst re-connection ticket can later be used by the ticket authority 136to validate the first re-connection ticket originally transmitted to theclient 108 when it is later presented to the ticket authority 136 duringthe process of re-connecting the client 108. In one embodiment, theticket authority 136 also keeps an address for the first protocolservice 112, which, as explained below, is associated with the firstre-connection ticket and, upon validation of the first re-connectionticket, is transmitted to the intermediary node 632.

In one embodiment, the intermediary node 632 is further configured touse the handle transmitted to it by the ticket authority 136 to deletethe copy of the first re-connection ticket kept at the ticket authority136. In another embodiment, as described below, the ticket authority 136is further configured to delete, during the process of re-connecting theclient 108 to a host service 116, the first re-connection ticket andthereafter generate a replacement first re-connection ticket.Additionally, in another embodiment, the first re-connection ticket isconfigured for automatic deletion after a pre-determined period of time.In the embodiment of re-connection tickets for each of the “hops”between the client and the host service 116, one, some or all of there-connection tickets may be configured for automatic deletion after apre-determined period of time. In other embodiments, the ticketauthority 136 or the intermediary node 632 is configured to delete eachof the multiple-hop tickets and generate replacement tickets.

In another embodiment, the first protocol service 112 is configured togenerate a second re-connection ticket, which, as in the case of thefirst re-connection ticket, can include, for example, a large randomnumber. In one embodiment, the first protocol service 112 generatessecond re-connection tickets for each of the “hops” between the client108 and the host service 112. The first protocol service 112 can also beconfigured to transmit the second re-connection ticket to the client108, while keeping a copy of the second re-connection ticket and asession number. The copy of the second re-connection ticket can later beused by the first protocol service 112 to validate the secondre-connection ticket originally transmitted to the client 108 when it islater presented to the first protocol service 112 during the process ofre-connecting the client 108. In one embodiment, the first protocolservice 112 transmits the second re-connection ticket to the client 108via the intermediary node 632. In another embodiment, the first protocolservice 112 transmits the second re-connection ticket to the client 108directly. In a further embodiment, the first protocol service 112 maytransmit second re-connection tickets to other first protocol services112 or intermediary nodes 632 that may comprise the multiple-hopconnection between the client 108 and the host service 116.

Moreover, as described in greater detail below, the first protocolservice 112 can be further configured to delete, during the process ofre-connecting the client 108 to a host service 116, the secondre-connection ticket, and thereafter generate a replacement secondre-connection ticket. Additionally, in another embodiment, the secondre-connection ticket is configured for automatic deletion after apre-determined period of time. In further embodiments, a first protocolservice 112 of one or more first protocol services 112 in a multiple-hopconnection is configured to delete the second re-connection tickets foreach of the “hops”, and thereafter generate replacement secondre-connection tickets for one, some or all of the “hops.”

In one embodiment, the intermediary node 632 serves as an intermediaryfor the first and second re-connection tickets. The intermediary node632 receives, for example, the first re-connection ticket generated bythe ticket authority 136 and the second re-connection ticket generatedby the first protocol service 112. The intermediary node 632 can thentransmit the first re-connection ticket and the second re-connectionticket to the client 108. Moreover, during the process of re-connectingthe client 108 to a host service 116, the intermediary node 632 canaccept the first re-connection ticket and the second re-connectionticket from the client 108 and thereafter transmit the firstre-connection ticket to the ticket authority 136 and, if appropriate,the second re-connection ticket to the first protocol service 112.

In another embodiment, the intermediary node 632 serves as anintermediary for the re-connection tickets for the multiple-hops betweenthe client 108 and the host service 116. The intermediary node 632receives, for example, the first re-connection ticket for the client 108to first protocol service 112 connection and the first re-connectionticket for the first protocol service 112 to the host service 116. In afurther embodiment, the intermediary node 632 receives a firstre-connection ticket for the connection between the intermediary node632 and the first protocol service 112. The intermediary node 632 canthen transmit the first re-connection ticket for the client to theclient 108 and the first re-connection ticket for the first protocolservice 112 to the first protocol service 112. Moreover, during theprocess of re-connecting the client 108 to a host service 116, theintermediary node 632 can accept the first re-connection ticket from theclient 108 to validate the ticket to re-establish the client'sconnection to the intermediary node 632 or the first protocol service112.

Referring to FIG. 6B, another embodiment of a system 602 for networkcommunications includes the networks 104 and 104′, the client 108, thefirst protocol service 112, the host services 116 a-116 n, theintermediary node 632, and the ticket authority 136, as described above,and further depicts a first computing node 640 and a second computingnode 644, both of which are used, in one embodiment, for initiallyconnecting the client 108 to a host service 116. Moreover, in theillustrative embodiment of FIG. 6A, the client 108 further includes aweb browser 162, such as, for example, the INTERNET EXPLORER programfrom Microsoft Corporation of Redmond, Wash., to connect to the WorldWide Web.

In one embodiment (not shown), the system 602 includes two or moreintermediary nodes 632 and/or two or more first protocol services 112.The intermediary node 632, through which messages between the client 108and the first protocol service 112 must pass, and/or the first protocolservice 112 can, as explained below, each be chosen based on, forexample, a load balancing equation.

Each of the first computing node 640 and the second computing node 644can be any computing device that is capable of communication and thathas sufficient processor power and memory capacity to perform theoperations described herein. For example, in one embodiment, the firstcomputing node 640 comprises a web server 120, providing one or morewebsites. In another embodiment, the second computing node 644 providesan XML service.

In one embodiment, the client 108 and the network 104 form an externalnetwork 652, separated from the rest of the system 602 by a firstfirewall 160, depicted as a dashed line. The intermediary node 632 andthe first computing node 640 can be located in a DMZ 130 separated fromthe rest of the system 602 by the first firewall 160 and a secondfirewall 161, also depicted by a dashed line. Then, as shown, thenetwork 104′, the first protocol service 112, the host services 116a-116 n, the ticket authority 136, and the second computing node 644form an internal network 668, separated from the rest of the system 602by the second firewall 161.

Alternatively, in another embodiment, and with reference to FIG. 6C, thesystem 604 further includes a third computing node 646 positioned in theDMZ 130, between the network 104 and the intermediary node 632. Thethird computing node 646 can be any computing device that is capable ofnetworked communication and that has sufficient processor power andmemory capacity to perform the operations described herein. As describedbelow, the third computing node 646 is used, in some embodiments, duringthe process of initially connecting the client 108 to a host service 116and/or during the process of re-connecting the client 108 to a hostservice 116. More specifically, as described below, where the system 604includes two or more intermediary nodes 632, the third computing node646 can, based on a load balancing equation for example, choose theintermediary node 632 through with communications between the clientagent 128 of the client 108 and the first protocol service 112 mustpass.

Moreover, referring to FIG. 6D, the intermediary node 632 of FIG. 6Ccan, in an alternative embodiment, be replaced by two or more levels“a”-“n” of intermediary nodes 632. As illustrated, each level “a”-“n”can include two or more intermediary nodes 632 a-632 n. As describedbelow, the client agent 128 of the client 108 can be routed through anycombination of the intermediary nodes 632 based on, for example, loadbalancing equations. For example, as illustrated, the client agent 128can be routed through the intermediary nodes 632 via connection 622. Foradditional security, each of the “hops” via connection 622 may require aticket or re-connection ticket for validating and authenticating themultiple-hop connection between the client 108 and the host service 116.Other configurations of the systems 600, 602 and 604, as would bereadily apparent to one skilled in the art, are also possible.

Referring again to FIG. 6B, in one embodiment, the web browser 162communicates over the network 104 with the first computing node 640,which itself interfaces with the second computing node 644 and theticket authority 136. More specifically, the first computing node 640 isconfigured with the address of the second computing node 644 and theticket authority 136. In one embodiment, as explained further below, thefirst computing node 640 is configured to relay information between, andthereby prevent direct communication between, the web browser 162 of theclient 108, the second computing node 644, and the ticket authority 136.By preventing such direct communication, the first computing node 640adds an additional level of security to the system 602. The firstcomputing node 640 can also be configured with the address of theintermediary node 632, or, alternatively, with the address of two ormore intermediary nodes 632.

For its part, the second computing node 644 is configured to determinewhich of the application programs running on the host services 116 areavailable to a user of the client 108. In other words, the secondcomputing node 644 is configured to determine which of the applicationprograms the user is authorized to access. In one embodiment, after theuser selects his desired application program, as described furtherbelow, the second computing node 644 is further configured to determinewhich of the host services 116 will be used to run the user's desiredapplication for purposes of load balancing. The second computing node644 returns the address of that host service 116 to the first computingnode 640. The second computing node 644 also returns the address of thefirst protocol service 112, which can also be selected from amongst aplurality of first protocol services 112 through the use of a loadbalancing equation, to the first computing node 640. In turn, the firstcomputing node 640 transmits the address of the chosen first protocolservice 112 and the chosen host service 116 to the ticket authority 136.

For its part, the ticket authority 136 generates connection tickets. Inone embodiment, the ticket authority 136 transmits an initial connectionticket to the first computing node 640 for transmission to the client108. In another embodiment, the ticket authority 136 transmits initialconnections tickets to the first computing node 640 for one or more ofthe “hops” between the client 108 and the host service 116.

Referring now to FIG. 7, one embodiment of a method 600 for networkcommunications, using the exemplary embodiment of FIGS. 6A-6D, isillustrated. At step 604, the client 108 initially connects to aplurality of host services 116 by employing, for example, the method 700described below. After the client 108 is connected to the plurality ofhost services 116, the client 108 and the host services 116 communicate,through the first protocol service 112, and at step 608, via a pluralityof secondary protocols encapsulated within the first protocol. In oneembodiment, the first protocol service 112 encrypts, prior to thetransmission of any first protocol packets, communications at the levelof the first protocol 204, thereby securing the communications. Inanother embodiment, the first protocol service 112 compresses, prior tothe transmission of any first protocol packets, the communications atthe level of the first protocol, thereby improving communicationefficiency.

At step 612, the client agent 128 determines whether the connection 135between the client agent 128 and the first protocol service 112 hasfailed. For example, the connection 135 a between the client agent 128and the intermediary node 632 may have failed, the connection 135 bbetween the intermediary node 632 and the first protocol service 112 mayhave failed, or both the connection 135 a and the connection 135 b mayhave failed. In another embodiment, the connection between the firstprotocol service 112 and the host service may have failed 116. If theclient agent 128 determines that the connection 135 has not failed, themethod 600 proceeds to step 620. If, on the other hand, the client agent128 determines that the connection 135 has failed, the client 108 is, atstep 616, provided with a reliable connection to the host services 116and re-connected to the host services 116.

It is determined, at step 620, whether the client 108 wishes to cleanlyterminate its connection 135 with the first protocol service 112 and,consequently, its connections 124 a-124 n with the host services 116. Ifnot, communication between the client 108 and the first protocol service112, via the plurality of secondary protocols encapsulated within thefirst protocol, continues at step 608. If so, then, at step 624, allconnections 135 a, 135 b, and 124 a-124 n are broken and allre-connection tickets are deleted. In one embodiment, the intermediarynode 632 uses a handle it receives from the ticket authority 136 todelete a copy of a first re-connection ticket kept at the ticketauthority 136. In another embodiment, the first protocol service 112deletes a copy of a second re-connection ticket kept at the firstprotocol service 112. In a further embodiment, if for some reason asecondary protocol connection 124 fails, a copy of the secondre-connection ticket associated therewith and kept at the first protocolservice 112 is deleted by the first protocol service 112. In yet anotherembodiment, a first re-connection ticket and/or a second re-connectionticket is automatically deleted after a pre-determined period of timefollowing a failure in the connection 135, as at step 612, and/orfollowing a clean termination of the connection 135, as at step 620. Inother embodiments, either the first protocol service 112 or the ticketauthority 136 delete one or more of the re-connection tickets for one ormore of the “hops” between the client 108 and the host service 116.

Referring to FIGS. 8A-8C, one embodiment of a method 700 for initiallyconnecting the client 108 to the host services 116 (for example at step604 of FIG. 7), using the exemplary embodiment of FIG. 6A-6D, isillustrated. At step 704, the client 108, using the browser 162, sends arequest, such as, for example, an HTTP request, to the first computingnode 640. The first computing node 640 returns a web page, such as, forexample, an HTML form requesting authentication information (e.g., ausername and a password). A user of the client 108 enters hiscredentials and transmits the completed form to the first computing node640.

The first computing node 640, at step 708, then informs the user of theclient 108 of applications available for execution. In one embodiment,the first computing node 640 extracts the user's credentials from thelogin page and transmits them to the second computing node 644, togetherwith a request for the second computing node 644 to enumerate theapplications available to the user. Based on the user's credentials, thesecond computing node 644 returns a list of specific applicationsavailable to the user to the first computing node 640, which thenforwards the list, in the form of a web page for example, to the user ofthe client 108.

At step 712, the user selects the desired application and a request forthat application is sent to the first computing node 640. For example,in one embodiment, the user clicks on a desired application listed inthe web page presented to him by the first computing node 640 and anHTTP request for that application is forwarded to the first computingnode 640. The request is processed by the first computing node 640 andforwarded to the second computing node 644.

At step 716, the second computing node 644 determines the host service116 on which the desired application will be executed. The secondcomputing node 644 can make that determination based, for example, on aload balancing equation. In one embodiment, the second computing node644 also determines a first protocol service 112 from amongst aplurality of first protocol services 112 that will be used tocommunicate with the host service 116 via a connection 124. Again, thesecond computing node 644 can make that determination based, forexample, on a load balancing equation. The second computing node 644returns the address of the chosen host service 116 and the chosen firstprotocol service 112 to the first computing node 640.

The client 108, at step 720, is then provided with an initial connectionticket and an address for the intermediary node 632 (which is either itsactual address or its virtual address, as described below). In oneembodiment, the first computing node 640 provides the address for thechosen host service 116 and the chosen first protocol service 112 to theticket authority 136, together with a request for the initial connectionticket. The ticket authority 136 keeps the address of the chosen hostservice 116 and the chosen first protocol service 112, generates theinitial connection ticket, and transmits the initial connection ticketto the first computing node 640, while keeping a copy for itself. In oneembodiment, the ticket authority 136, in response to the request for theinitial connection ticket by the first computing node 640, generatesconnection tickets for each of the “hops” between the client 108 and thehost service 116. In another embodiment, the first computing node 640requests initial connection tickets for each of the “hops” either in asingle request or in multiple requests. For example, the ticketauthority 126 may generated a multi-part ticket as discussed above inconjunction with FIG. 5B.

The first computing node 640, configured, in one embodiment, with theactual address of the intermediary node 632, then transmits the actualaddress of the intermediary node 632 and the initial connection ticketto the browser 162 of the client 108. The first computing node 640 can,for example, first create a file containing both the actual address ofthe intermediary node 632 and the initial connection ticket and thentransmitting the file to the browser 162 of the client 108. Optionally,in another embodiment, the first computing node 640 is configured withthe actual address of two or more intermediary nodes 632. In such anembodiment, the first computing node 640 first determines theintermediary node 632 through which messages between the client 108 andthe first protocol service 112 will have to pass. The first computingnode 640 then transmits the actual address of that chosen intermediarynode 132 and the initial connection ticket to the browser 162 of theclient 108 using, for example, the file described above. In oneembodiment, the first computing node 640 chooses the intermediary node632 using a load balancing equation. The client agent 128 of the client108 is then launched and uses the address of the intermediary node 632,to establish, at step 724, a first protocol connection 135 a between theclient agent 128 of the client 108 and the intermediary node 632. In oneembodiment, the first computing node 640 may provide initial connectiontickets obtained from the ticket authority 136 to one or more of thefirst protocol service 112 and/or intermediary nodes 632 to validatetheir respective connections.

Alternatively, in another embodiment, the first computing node 640 isconfigured with an actual address of the third computing node 646, whichserves as a virtual address of an intermediary node 132. In such anembodiment, the first computing node 640 transmits, at step 720, theactual address of the third computing node 646 and the initialconnection ticket to the browser 162 of the client 108 using, forexample, the file described above. The client agent 128 of the client108 is then launched and uses the actual address of the third computingnode 646 to establish, at step 724, a first protocol connection betweenthe client agent 128 of the client 108 and the third computing node 646.The third computing node 646 then determines the intermediary node 632through which messages between the client 108 and the first protocolservice 112 will have to pass. In one embodiment, the third computingnode 646 chooses the intermediary node 632 using a load balancingequation. Having chosen the intermediary node 632, the third computingnode 646 establishes a first protocol connection to the intermediarynode 632. A first protocol connection 135 a therefore exists, throughthe third computing node 646, between the client agent 128 of the client108 and the intermediary node 632. The actual address of the thirdcomputing node 646 is therefore mapped to the actual address of theintermediary node 632. To the client agent 128 of the client 108, theactual address of the third computing node 646 therefore serves as avirtual address of the intermediary node 632.

In one embodiment, where more than one level of intermediary nodes 632exist, as described above, the first computing node 640 or the thirdcomputing node 646, respectively, only choose the intermediary node 632to which the client agent 128 will connect at level “a.” In such anembodiment, at each of the levels “a”-“n−1”, the intermediary node 632through which the client agent 128 is routed at that level thereafterdetermines, based on a load balancing equation for example, theintermediary node 632 to which it will connect at the next level.Alternatively, in other embodiments, the first computing node 640 or thethird computing node 646, respectively, determine, for more than one orall of the levels “a”-“n”, the intermediary nodes 632 through which theclient agent 128 will be routed.

Having established the first protocol connection 135 a between theclient agent 128 of the client 108 and the intermediary node 632, forexample the intermediate node 132 at level “n” (hereinafter referred toin method 700 as the intermediary node 632), the client agent 128 thentransmits the initial connection ticket to the intermediary node 632.

It is then determined, at step 728, whether the initial connectionticket is valid. In one embodiment, the intermediary node 632 transmitsthe initial connection ticket to the ticket authority 136 forvalidation. In one embodiment, the ticket authority 136 determines thevalidity of the initial connection ticket by comparing it to the copy ofthe initial connection ticket it kept at step 720. If the ticketauthority 136 determines the initial connection ticket to be valid, theticket authority 136 transmits, at step 732, the address of the firstprotocol service 112 and the address of the chosen host service 116 tothe intermediary node 632. The ticket authority 136 may also transmitadditional connection tickets for the first protocol service 112 andintermediary node 632 through which the client 108 will connect to thehost service 116. The first protocol service 112 can also delete theinitial connection ticket and the copy thereof. If, on the other hand,the ticket authority 136 determines the initial connection ticket to beinvalid, the client 108 is, at step 730, refused connection to the firstprotocol service 112 and, consequently, connection to the host service116.

Following step 732, the intermediary node 632 uses the address of thechosen first protocol service 112 to establish, at step 736, a firstprotocol connection 135 b between the intermediary node 632 and thefirst protocol service 112. In one embodiment, the intermediary node 632uses an initial connection ticket to establish the first protocolconnection 135 b between the intermediary node 632 and the firstprotocol service 112. In one case, the intermediary node 632 uses thesame initial connection ticket received from the client 108 to validatethe connection 135 b. In another case, the intermediary node 632 uses aninitial connection ticket generated for and valid for the first protocolconnection 135 b. A first protocol connection 135 therefore now exists,through the intermediary node 632, between the client agent 128 of theclient 108 and the first protocol service 112. The intermediary node 632can also pass the address of the chosen host service 116 to the firstprotocol service 112.

In one embodiment, at step 740, the first protocol service 112 uses theaddress of the chosen host service 116 to establish a secondary protocolconnection 124 between the first protocol service 112 and the chosenhost service 116. For example, the chosen host service 116 is in factthe host service 116 a and a secondary protocol connection 124 a isestablished between the first protocol service 112 and the host service116 a.

In one embodiment, following step 740, the user chooses, at step 744, asecond application to be executed and the second computing node 644determines, at step 748, the host service 116 on which the secondapplication is to be executed. For example, by calculating a loadbalancing equation, the second computing node 644 may choose the hostservice 116 b to execute the second application program. The secondcomputing node 644 then transmits the address of the chosen host service116 b to the first protocol service 112. In one embodiment, the secondcomputing node 644 is in direct communication with the first protocolservice 112 and directly transmits the address thereto. In anotherembodiment, the address of the chosen host service 116 b is indirectlytransmitted to the first protocol service 112. For example, the addresscan be transmitted to the first protocol service 112 through anycombination of the first computing node 640, the ticket authority 136,the intermediary node 632, and the first protocol service 112. Havingreceived the address of the chosen host service 116 b, the firstprotocol service 112 establishes, at step 752, a secondary protocolconnection 124 b between the first protocol service 112 and the chosenhost service 116 b. In establishing a secondary protocol connection 124b, the first protocol service 112 may validate an initial connectionticket to authenticate the connection to the host service 116. Theinitial connection ticket may be the same as the initial connectionticket for either the client 108 connection to the intermediary node 632or the connection of the intermediary node 632 to the first protocolservice 112. In another embodiment, the ticket authority 136 or any ofthe intermediary node 632 generated a ticket valid only for thesecondary protocol connection 124 b. The first protocol service 112and/or host service 116 uses this ticket to validate the secondaryprotocol connection 124 b.

The secondary protocols that can be used to communicate over theconnections 124 a and 124 b include, but are not limited to, HTTP, FTP,Oscar, Telnet, ICA, and RDP. Moreover, in one embodiment, at least oneof the secondary protocols, as described above, includes a plurality ofvirtual channels, each of which can include a plurality of protocolpackets enabling functionality at the remote client 108. For example, inone embodiment, one host service 116 a is a web server, communicatingwith the first protocol service 112 over the connection 124 a using theHTTP protocol, and another host service 116 b is an application server,communicating with the first protocol service 112 over the connection124 b using the ICA protocol. The host service 116 b generates bothprotocol packets for transmitting graphical screen commands to theclient 108, for causing the client 108 to display a graphical userinterface, and protocol packets for transmitting printer commands to theclient 108, for causing a document to be printed at the client 108.

Steps 744, 748, and 752 can be repeated any number of times. As such,any number of application programs can be executed on any number of hostservices 116 a-116 n, the outputs of which can be communicated to thefirst protocol service 112 over the connections 124 a-124 n using anynumber of secondary protocols.

Turning now to step 756, the first protocol service 112 can, asdescribed above, encapsulate the plurality of secondary protocols withinthe first protocol. As such, the client 108 is connected to, andsimultaneously communicates with, a plurality of host services 116.

In another embodiment, prior to performing steps 744, 748, and 752 toexecute a new application program on a host service 116, such as, forexample, the host service 116 b, a user of the client 108 ends executionof another application program, such as, for example, an applicationprogram executing on host service 116 a. In such a case, the firstprotocol service 112 disrupts the connection 124 a between the firstprotocol service 112 and the host service 116 a. The first protocolservice 112 then establishes, by implementing steps 744, 748, and 752,the connection 124 b between the first protocol service 112 and the hostservice 116 b, without interrupting the connection 135 between theclient 108 and the first protocol service 112.

In one embodiment, a first re-connection ticket is generated at step760. For example, the intermediary node 632 requests a firstre-connection ticket from the ticket authority 136 or requests a firstre-connection ticket for each of the “hops” between the client 108 andthe host service 116. Upon receiving the request, the ticket authority136 generates the one or more first re-connection tickets. Are-connection ticket is, for example, a large random number, and canalso generate a handle, which is, for example, a smaller random number.The ticket authority 136 can then transmit, at step 764, the firstre-connection tickets and the handles to the intermediary node 632,while keeping a copy of the first re-connection tickets and a copy ofthe handles. The ticket authority 136 continues to maintain the addressof the first protocol service 112 that was transmitted to it by thefirst computing node 640 at step 720. The intermediary node 632 thentransmits, at step 768, the client's first re-connection ticket to theclient 108.

At step 772, one or more second re-connection tickets are thengenerated. In one embodiment, the first protocol service 112 generatesthe second re-connection ticket for the client 108, which can be, forexample, a large random number. In another embodiment, the firstprotocol service 112 generates second re-connection tickets for one ormore of the “hops” between the client 108 and the host service 116. Thefirst protocol service 112, at step 776, then transmits the client'ssecond re-connection ticket, through the intermediary node 632, to theclient 108. In doing so, the first protocol service 112 keeps a copy ofthe second re-connection ticket and a session number associatedtherewith for identifying the session to be re-connected following adisruption of the connection 135. In one embodiment, for example, thefirst protocol service 112 maintains, for a particular session number, atable listing the secondary protocol connections 124 a-124 n associatedwith that session number. In a like manner, the first protocol service112 may maintain the first and/or second re-connection tickets for eachof the “hops” being validated to reconnect the client 108 to the hostservice 116.

Accordingly, following re-establishment of the first protocol connection135 and validation of the second re-connection ticket at the firstprotocol service 112, and/or at any subsequent first protocol services112 and/or intermediary nodes 632, he first protocol service 112 canidentify the secondary protocol connections 124 to be encapsulatedwithin the re-established first protocol connection 135 forcommunication to the client 108. Alternatively, in another embodiment,and with reference again to FIG. 1A, the system 100 of the presentinvention does not include the intermediary node(s) 132, the ticketauthority 136, nor the third computing node 646. In such an embodiment,rather than generating and transmitting, at steps 760 through 776, boththe first and the second reconnection tickets, the system 100 and method700 provide for only a single re-connection ticket for the client 108 orfor one or more of the “hops” between the client 108 and the hostservice 116. In one such embodiment, the first protocol service 112, forexample, generates the single re-connection ticket, which can be, forexample, a large random number. The first protocol service 112 thentransmits the client's re-connection ticket directly to the client 108over the connection 135. In doing so, the first protocol service 112keeps a copy of the single re-connection ticket and a session numberassociated therewith for identifying the session to be re-connectedfollowing a disruption of the connection 135. In another embodiment, thefirst protocol service 112 keeps the re-connection ticket for itsconnection to the host service 116 and a session number associatedtherewith for retrieving the re-connection ticket.

Referring now to FIG. 9, one embodiment of a method 800 for providing aclient 108 with a reliable connection to one or more host services 116and for re-connecting the client 108 to the host services 116 (forexample at step 616 of FIG. 7), using the exemplary embodiment of FIGS.6A-6D, is illustrated. In particular, at step 804, the secondaryprotocol connection 124 between the first protocol service 112 and eachof the one or more host services 116 is maintained. Moreover, at step808, a queue of data packets most recently transmitted between theclient agent 128 of the client 108 and the first protocol service 112,via the connection 135 that was determined to have broken, for example,at step 616 of FIG. 7, is maintained. In one embodiment, the datapackets are queued and maintained both before and upon failure of theconnection 135. The queued data packets can be maintained, for example,in a buffer by the client agent 128. Alternatively, the first protocolservice 112 can maintain in a buffer the queued data packets. In yetanother embodiment, both the client agent 128 and the first protocolservice 112 maintain the queued data packets in a buffer.

At step 812, a new first protocol connection 135 is established betweenthe client agent 128 of the client 108 and the first protocol service112 and linked to the maintained secondary protocol connection 124between the first protocol service 112 and each of the one or more hostservices 116, thereby re-connecting the client 108 to the host services116. After the client 108 is re-connected, the queued data packetsmaintained at step 808 can be transmitted, at step 816, via the newlyestablished first protocol connection 135. As such, the communicationsession between the host services 116 and the client 108, through thefirst protocol service 112, is persistent and proceeds without any lossof data.

In an embodiment with multiple “hops” traversing multiple first protocolservices 112, at step 808, a portion or all of the data packets may bemaintained at one or more of the first protocol services 112. At step812, each “hop” may be re-established. After the client 108 isre-connected and re-linked to the first of the one or more firstprotocol services 112 as described above, each of the remainingconnections may be re-established and re-linked to the previouslyre-linked “hop” until the final “hop” to the host service 116 isre-established. Either after the final “hop” is re-established andre-linked, or as each “hop” is re-established and re-linked, the queueddata packets maintained at step 808 can be transmitted, at step 816.

Referring now to FIGS. 10A-10B, one embodiment of a method 900 forre-connecting the client 108 to the one or more host services 116 (forexample at step 812 of FIG. 9), using the exemplary embodiment of FIGS.6A-6D, is illustrated. At step 904, any remaining connections betweenthe client 108 and the first protocol service 112 are broken. Forexample, where the connection 135 a has failed, but the connection 135 bhas not, the connection 135 b is broken. Alternatively, where theconnection 135 b has failed, but the connection 135 a has not, theconnection 135 a is broken.

In one embodiment, using the actual address of the intermediary node 632provided to the client 108, for example at step 720 of FIG. 8, theclient agent 128 of the client 108 then re-establishes, at step 908, thefirst protocol connection 135 a between the client agent 128 and theintermediary node 632. Alternatively, in another embodiment, using theactual address of the third computing node 646 provided to the client108, for example at step 720 of FIG. 8, the client agent 128 of theclient 108 then re-establishes, at step 908, a first protocol connectionbetween the client agent 128 and the third computing node 646. The thirdcomputing node 646 then determines the intermediary node 632 throughwhich messages between the client 108 and the first protocol service 112will have to pass. In one embodiment, the third computing node 646chooses the intermediary node 632 using a load balancing equation. Theintermediary node 632 chosen by the third computing node 646 inre-connecting the client 108 to the one or more host services 116 can bedifferent from that chosen, for example at step 720 of FIG. 8, toinitially connect the client 108 to the one or more host services 116.In one embodiment, an initial connection ticket for the chosenintermediary node 632 is generated when re-connecting the client 108 toa host service 116.

Having chosen the intermediary node 632, the third computing node 646re-establishes a first protocol connection 135 a to the intermediarynode 632. A first protocol connection 135 a is therefore re-established,through the third computing node 646, between the client agent 128 ofthe client 108 and the intermediary node 632. In one embodiment, whenthe first protocol connection 135 a to the intermediary node 632 isre-established, the first protocol connection 135 s is validated byvalidating a first or second re-connection ticket for this “hop” withthe ticket authority 136.

In one embodiment, where more than one level of intermediary nodes 632exist, the intermediary node 632 through which the client agent 128 isrouted at each of the levels.

“a”-“n−1” thereafter determines, based on a load balancing equation forexample, the intermediary node 632 to which it will connect at the nextlevel. Alternatively, in another embodiment, the third computing node646 determines, for more than one or all of the levels “a”-“n”, theintermediary nodes 632 through which the client agent 128 will berouted. In other embodiments, either the intermediary node 632 or one ofthe computing nodes (e.g., the third computing node 646) generates firstor second re-connection tickets for one or more of the connections or“hops” through which the client agent 128 is routed.

Having re-established the first protocol connection 135 a between theclient agent 128 of the client 108 and the intermediary node 632, forexample the intermediate node 132 at level “n” (hereinafter referred toin method 900 as the intermediary node 632), the client agent 128 thentransmits, at step 912, the first re-connection ticket and the secondre-connection ticket for the client 108 to the intermediary node 632.

It is then determined, at step 916, whether the first re-connectionticket is valid. In one embodiment, the validity of the firstre-connection ticket is determined by using the ticket authority 136.For example, the intermediary node 632 transmits the first re-connectionticket to the ticket authority 136. In one embodiment, the ticketauthority 136 determines the validity of the first re-connection ticketby comparing it to a previously kept copy of the first re-connectionticket. If the ticket authority 136 determines the first re-connectionticket to be valid, the ticket authority 136 transmits, at step 920, theaddress of the first protocol service 112 to the intermediary node 632.Otherwise, if the ticket authority 136 determines the firstre-connection ticket to be invalid, the client 108 is, at step 924,refused re-connection to the first protocol service 112 and,consequently, re-connection to the host services 116.

At step 928, the first re-connection ticket is deleted by, for example,the ticket authority 136 and a replacement first re-connection ticket isgenerated by, for example, the ticket authority 136. Moreover, areplacement handle can be generated by, for example, the ticketauthority 136. In some such embodiments, the ticket authority 136transmits the replacement first re-connection ticket and the replacementhandle to the intermediary node 632. Moreover, in some such embodiments,the ticket authority 136 keeps a copy of the replacement firstre-connection ticket. In some embodiments, the ticket authority 136waits for the client 108 to acknowledge that it has received thereplacement first re-connection ticket before it proceeds to delete thefirst re-connection ticket.

After the first re-connection ticket is validated, the intermediary node632, using the address of the first protocol service 112,re-establishes, at step 932, the first protocol connection 135 b betweenthe intermediary node 632 and the first protocol service 112. Havingre-established the first protocol connection 135 b between theintermediary node 632 and the first protocol service 112, it is thendetermined, at step 936, whether the second re-connection ticket isvalid. In one embodiment, the validity of the second re-connectionticket is determined by using the first protocol service 112. Forexample, the intermediary node 632 transmits the second re-connectionticket to the first protocol service 112. In one embodiment, the firstprotocol service 112 determines the validity of the second re-connectionticket by comparing it to a previously kept copy of the secondre-connection ticket. In another embodiment of step 936, the firstprotocol service 112 validates a first re-connection ticket for theconnection between the first protocol service 112 and the host service116, or in another embodiment, between the first protocol service 112and another first protocol service 112 or an intermediary node 632. In asimilar manner, each “hop” thereafter between the first protocol service112 and the host service 116 may be validated with one or more tickets,either initial or re-connection tickets, to validate the continued useof the “hop” on behalf of the client 108.

If the first protocol service 112 determines the second re-connectionticket to be valid, the re-established first protocol connection 135 bbetween the first intermediary node 132 and the first protocol service112 is linked, at step 940, to the maintained secondary protocolconnection 124 between the first protocol service 112 and each of theone or more host services 116. Otherwise, if the first protocol service112 determines the second re-connection ticket to be invalid, there-established first protocol connection 135 b is not linked to the oneor more maintained secondary protocol connections 124 and the client 108is, at step 944, refused re-connection to the one or more host services116. In the case of a multiple-hop connection between the first protocolservice 112 and the host service 116, each “hop” may be validated forre-connection and at step 940 be linked to the previous “hop” until thefinal “hop” to the host service 116 is validated, or until one of the“hops” is refused re-connection.

At step 948, the second re-connection ticket is deleted by, for example,the first protocol service 112 and a replacement second re-connectionticket is generated by, for example, the first protocol service 112 fortransmission to the client 108. In such an embodiment, the firstprotocol service 112 keeps a copy of the replacement secondre-connection ticket. In some embodiments, the first protocol service112 waits for the client 108 to acknowledge that it has received thereplacement second re-connection ticket before it proceeds to delete thesecond re-connection ticket. In the case of validating one or more ofthe “hops” for re-connecting a client 108, one or more replacementre-connection tickets, at step 948, may be generated and/or a copy savedby the ticket authority 136, intermediary nodes 632, any of thecomputing nodes, or one or more of the first protocol services 112.

At step 952, the replacement first re-connection ticket and thereplacement second re-connection ticket are transmitted to the client.For example, the ticket authority 136 can transmit, through theintermediary node 632, the replacement first re-connection ticket to theclient 108. Moreover, in one embodiment, the first protocol service 112transmits, through the intermediary node 632, the replacement secondre-connection ticket to the client 108. In other embodiments, thereplacement re-connection tickets for one or more “hops” may betransmitted to one or more of the intermediary nodes 632, any of thecomputing nodes, or one or more of the first protocol services 112.

Alternatively, in other embodiments, as discussed above, the system 100and methods of the invention provide for only a single re-connectionticket for the client 108 and/or a single re-connection for each of the“hops” between the client 108 and a host service 116. As such, ratherthan using both first and second re-connection tickets, the illustrativemethod 900 uses only the aforementioned single re-connection ticket. Inone such embodiment, the client agent 128 of the client 108 is alsoprovided with the address of the first protocol service 112. Tore-connect to the host services 116, the client agent 128 transmits thesingle re-connection ticket directly to the first protocol service 112.The first protocol service 112 then determines whether the singlere-connection ticket is valid. In one embodiment, the first protocolservice 112 determines the validity of the single re-connection ticketby comparing it to a previously kept copy of the single re-connectionticket. If the first protocol service 112 determines the singlere-connection ticket to be valid, the re-established first protocolconnection 135 between the client 108 and the first protocol service 112is linked to the maintained secondary protocol connection 124 betweenthe first protocol service 112 and each of the one or more host services116. Otherwise, if the first protocol service 112 determines the singlere-connection ticket to be invalid, the re-established first protocolconnection 135 is not linked to the one or more maintained secondaryprotocol connections 124 and the client 108 is refused re-connection tothe one or more host services 116.

After the single re-connection ticket is validated, the singlere-connection ticket is deleted by, for example, the first protocolservice 112 and a replacement single re-connection ticket is generatedby, for example, the first protocol service 112 for transmission to theclient 108. In transmitting the replacement single re-connection ticketto the client 108, the first protocol service 112 keeps a copy of thereplacement single re-connection ticket. In some embodiments, the firstprotocol service 112 waits for the client 108 to acknowledge that it hasreceived the replacement single re-connection ticket before it proceedsto delete the single re-connection ticket.

In yet another embodiment, like the first and second re-connectiontickets, the single re-connection ticket is configured for automaticdeletion after a pre-determined period of time following a failure inthe connection 135, as at step 612, and/or following a clean terminationof the connection 135, as at step 620.

Many alterations and modifications may be made by those having ordinaryskill in the art without departing from the spirit and scope of theinvention. Therefore, it must be expressly understood that theillustrated embodiments have been shown only for the purposes of exampleand should not be taken as limiting the invention, which is defined bythe following claims. These claims are to be read as including what theyset forth literally and also those equivalent elements which areinsubstantially different, even though not identical in other respectsto what is shown and described in the above illustrations.

1. A method for re-connecting a client to a host service, the methodcomprising: providing a communication session between a client and ahost service via a first connection between the client and a firstprotocol service, and a second connection between the first protocolservice and the host service; detecting a disruption in one of the firstconnection and the second connection, and maintaining the other of oneof the first connection and the second connection; obtaining, at thefirst protocol service, a first ticket and a second ticket; validatingthe first ticket to re-establish the disrupted connection; validatingthe second ticket to continue use of the maintained connection; andlinking the re-established connection to the maintained connection. 2.The method of claim 1, further comprising maintaining the communicationsession during the disruption in the disrupted connection.
 3. The methodof claim 1, further comprising generating one of the first ticket andthe second ticket by at least one of the first protocol service and aticket authority.
 4. The method of claim 1, further comprisingvalidating, by the ticket authority, at least one of the first ticketand the second ticket.
 5. The method of claim 1, further comprisingauthenticating the client to a web server.
 6. The method of claim 1,further comprising transmitting, by a web server, the first ticket tothe client.
 7. The method of claim 1, further comprising transmitting,by the client, the first ticket to the first protocol service.
 8. Themethod of claim 1, further comprising authenticating, by the hostservice, the client upon establishment of the communication session. 9.The method of claim 1, wherein the first protocol service comprises aproxy server.
 10. The method of claim 1, wherein the first protocolservice comprises a security gateway.
 11. The method of claim 1, whereinthe client and the first protocol service communicate using a firstprotocol encapsulating a second protocol, and the first protocol serviceand the host service communicate using the second protocol.
 12. Themethod of claim 1, wherein the first ticket is valid for the firstconnection and the second ticket is valid for the second connection. 13.The method of claim 1, wherein the second ticket is disabled until thefirst ticket is validated.
 14. The method of claim 1, wherein there-established connection is linked to the maintained connection afterthe first ticket and the second ticket are validated.
 15. The method ofclaim 1, wherein one of the first connection and the second connectioncomprises a plurality of connections connected via one of anintermediary node and one or more first protocol services.
 16. Themethod of claim 15, wherein a third ticket is generated for at least oneof the plurality of connections.
 17. The method of claim 16, wherein thethird ticket is valid for the least one of the plurality of connections.18. A system for re-connecting a client to a host service, the systemcomprising: a client establishing a communication session with a hostservice via a first connection; a first protocol service establishingthe first connection with the client and a second connection with thehost service; the first protocol service maintaining a connectioncomprising at least one of the first connection and the secondconnection; the first protocol service validating a first ticket tore-establish a disrupted connection in one of the first connection andthe second connection, and validating a second ticket to use the otherof the one of the first connection and the second connection; and thefirst protocol service linking the re-established connection to themaintained connection.
 19. The system of claim 17, further comprising aticket authority generating at least one of the first ticket and thesecond ticket.
 20. The system of claim 18, wherein the first protocolservice maintains the communication session during a disruption in thedisrupted connection.
 21. The system of claim 18, wherein the firstprotocol service generates at least one of the first ticket and thesecond ticket.
 22. The system of claim 18, wherein the ticket authorityvalidates at least one of the first ticket and the second ticket. 23.The system of claim 18, further comprising a web server, the web serverauthenticating the client.
 24. The system of claim 23, wherein the webserver transmits the first ticket to the client.
 25. The system of claim18, wherein the client transmits the first ticket to the first protocolservice.
 26. The system of claim 18, wherein the host serviceauthenticates the client upon establishment of the communicationsession.
 27. The system of claim 18, wherein the first protocol servicecomprises a proxy server.
 28. The system of claim 18, wherein the firstprotocol service comprises a security gateway.
 29. The system of claim18, wherein the client and the first protocol service communicate usinga first protocol encapsulating a second protocol, and the first protocolservice and the host service communicate using the second protocol. 30.The system of claim 18, wherein the first ticket is valid for the firstconnection and the second ticket is valid for the second connection. 31.The system of claim 18, wherein the second ticket is disabled until thefirst ticket is validated.
 32. The system of claim 18, wherein the firstprotocol service links the re-established connection to the maintainedconnection after the first ticket and the second ticket are validated.33. The system of claim 18, wherein one of the first connection and thesecond connection comprises a plurality of connections connected via oneof an intermediary node and one or more first protocol services.
 34. Thesystem of claim 33, wherein a third ticket is generated for at least oneof the plurality of connections.
 35. The system of claim 34, wherein thethird ticket is valid for the least one of the plurality of connections.